top of page
  • Elizabeth A. McMorrow

GDPR: 1 Year of Non-Compliance

Feeling good about your FATCA compliance? How about GDPR compliance? The European Union (EU) General Data Protection Regulation (GDPR) came into effect on May 25, 2018. For those that have not yet created a compliance program, you are almost a year late. And yes, the GDPR may apply to United States financial institutions (USFIs).

What Is It?

The GDPR is an EU legal regime that provides a consumer rights regarding her personal data. The GDPR was created to replace an outdated EU privacy directive that was ineffective in addressing the modern technological world.

The new regulation requires businesses to protect EU citizens’ privacy and personal data. The personal data at issue includes:

  • Basic identity information such as date of birth, name, address and ID numbers

  • Web data such as location, IP address, cookie data and RFID tags

  • Health and genetic data

  • Biometric data

  • Racial or ethnic data

  • Political opinions

  • Sexual orientation

  • Religious or philosophical beliefs

  • Trade union membership

Consumer Rights

The GDPR grants several rights to consumers that your organization may not be prepared to address. A consumer has the following rights with respect to her personal data:

  • Access

  • Update

  • Opt out

  • Erasure

  • Portability

The right to portability may be an eye opener for those USFIs providing inferior services. Some clients do not change service providers because it’s a hassle. However, the right of portability creates a smooth process for a client to transfer to another service provider.

GDPR in the U.S.

The GDPR has extraterritorial reach - with that reach extending to the U.S. Remember the U.S. giving FATCA an extraterritorial reach? Now the U.S. is on the receiving end! A U.S. business that controls or processes personal data of EU citizens may be subject to the GDPR. It does not matter whether the U.S. business has any offices or operations in the EU.

Data Processor v Data Controller

Responsibilities differ under the GDPR depending upon whether you are a “data processor” or “data controller.” What’s the difference?

A data controller is the organization that owns the data.

A data processor is an external organization that helps manage the data or actively process it under the direction of the data controller.

The data controller cannot turn a blind eye to her data processor’s treatment of the EU personal data. If your data processor is not compliant, your organization is not compliant.

Harsh Penalties

The GDPR is enforceable through the EU’s Data Protection Authority (Supervisory Authority) and local enforcement authorities of the EU member states. The enforcement can be civil and/or criminal and may include prosecution of individual directors and officers for deliberate breaches.

Fines for violation of the GDPR can be steep: the higher of 20 million euros or four percent global annual revenues.

A data breach must be reported within 72 hours from when the organization becomes aware that a breach has occurred. If there is an internal delay in communicating the breach to the compliance officer, the clock is ticking and you might miss the 72-hour deadline. The result could be a double penalty: original breach fine and late reporting fine.

If you fail to comply with some regulatory programs, your failure may be discovered through a government examination or by an employee reporting you to the government authority. With GDPR, you face the added layer of your clients reporting you to the government authority. The stakes are high, so implementing a compliance program is crucial.

Next Steps

It is possible that your existing policies adequately cover issues raised by the GDPR. However, it is necessary to undertake a review of internal and external processes to determine if GDPR-specific policies should be implemented. The mapping of data should include internal sharing and storage along with the mapping of data flows to third-party service providers.

The following are some of the issues to address:

  • Map data flows.

  • Review controls / conduct risk assessment.

  • Obtain informed consent from clients: opt in not opt out.

  • Review and amend existing vendor agreements re: breach liability.

  • Train management team and staff.

  • Create a data protection plan or review and update existing data protection plan.

For assistance, please contact me via my contact page or at

Recent Posts

See All

BVI Posted New CRS Video

The British Virgin Islands International Tax Authority (BVI ITA) posted the video from its live June 5, 2024 program for custodial institutions, depository institutions, and specified insurance compan

World Elder Abuse Awareness Day

June 15, 2024 is World Elder Abuse Awareness Day. How are you protecting your loved ones and clients from elder financial exploitation? One form of elder abuse is financial exploitation which is the i

bottom of page