GDPR: 1 Year of Non-Compliance
Feeling good about your FATCA compliance? How about GDPR compliance? The European Union (EU) General Data Protection Regulation (GDPR) came into effect on May 25, 2018. For those that have not yet created a compliance program, you are almost a year late. And yes, the GDPR may apply to United States financial institutions (USFIs).
What Is It?
The GDPR is an EU legal regime that provides a consumer rights regarding her personal data. The GDPR was created to replace an outdated EU privacy directive that was ineffective in addressing the modern technological world.
The new regulation requires businesses to protect EU citizens’ privacy and personal data. The personal data at issue includes:
Basic identity information such as date of birth, name, address and ID numbers
Web data such as location, IP address, cookie data and RFID tags
Health and genetic data
Racial or ethnic data
Religious or philosophical beliefs
Trade union membership
The GDPR grants several rights to consumers that your organization may not be prepared to address. A consumer has the following rights with respect to her personal data:
The right to portability may be an eye opener for those USFIs providing inferior services. Some clients do not change service providers because it’s a hassle. However, the right of portability creates a smooth process for a client to transfer to another service provider.
GDPR in the U.S.
The GDPR has extraterritorial reach - with that reach extending to the U.S. Remember the U.S. giving FATCA an extraterritorial reach? Now the U.S. is on the receiving end! A U.S. business that controls or processes personal data of EU citizens may be subject to the GDPR. It does not matter whether the U.S. business has any offices or operations in the EU.
Data Processor v Data Controller
Responsibilities differ under the GDPR depending upon whether you are a “data processor” or “data controller.” What’s the difference?
A data controller is the organization that owns the data.
A data processor is an external organization that helps manage the data or actively process it under the direction of the data controller.
The data controller cannot turn a blind eye to her data processor’s treatment of the EU personal data. If your data processor is not compliant, your organization is not compliant.
The GDPR is enforceable through the EU’s Data Protection Authority (Supervisory Authority) and local enforcement authorities of the EU member states. The enforcement can be civil and/or criminal and may include prosecution of individual directors and officers for deliberate breaches.
Fines for violation of the GDPR can be steep: the higher of 20 million euros or four percent global annual revenues.
A data breach must be reported within 72 hours from when the organization becomes aware that a breach has occurred. If there is an internal delay in communicating the breach to the compliance officer, the clock is ticking and you might miss the 72-hour deadline. The result could be a double penalty: original breach fine and late reporting fine.
If you fail to comply with some regulatory programs, your failure may be discovered through a government examination or by an employee reporting you to the government authority. With GDPR, you face the added layer of your clients reporting you to the government authority. The stakes are high, so implementing a compliance program is crucial.
It is possible that your existing policies adequately cover issues raised by the GDPR. However, it is necessary to undertake a review of internal and external processes to determine if GDPR-specific policies should be implemented. The mapping of data should include internal sharing and storage along with the mapping of data flows to third-party service providers.
The following are some of the issues to address:
Map data flows.
Review controls / conduct risk assessment.
Obtain informed consent from clients: opt in not opt out.
Review and amend existing vendor agreements re: breach liability.
Train management team and staff.
Create a data protection plan or review and update existing data protection plan.