To comply with GDPR, United States firms will need legal, compliance, and IT to work together. If they can't manage that coordination, the penalty could be harsh.
United States financial services firms are trying to manage regulations and guidance on data protection and cybersecurity from multiple jurisdictions. Now, they are about to face one of their biggest challenges yet when strict new European Union rules governing the use of personal information take effect this spring.
The EU’s General Data Protection Regulation (GDPR) applies to all companies processing or controlling the personal information of EU residents, regardless of where those firms are located. The regulation is set to go into effect May 25, 2018.
U.S. companies must take the EU rules seriously and begin implementing the necessary technologies, policies, and procedures as soon as possible to ensure they are ready to comply. They must also make sure that complying with GDPR doesn’t conflict with domestic U.S. regulations. Many U.S. firms may be unready or even unaware that they will likely be subject to the new EU regulations.
“When it comes to GDPR preparedness, on a scale of zero to one hundred, there are quite a few, mostly smaller, firms that are at zero, whereas most of the largest firms with international operations are somewhere between 90 and 95, and no one is at 100,” said Timothy Blank, managing partner of the Boston office of the law firm Dechert, LLP and head of its data privacy and cybersecurity practice areas.
Below are some suggestions for U.S. firms in advance of implementation of GDPR:
What is GDPR?
The GDPR is an EU requirement with a deliberately global reach. It sets a new level of obligations and expectations regarding data protection, security, and management.
- Implementing GDPR has myriad ramifications for firms. A key principle is that the ownership of personal data is deemed to remain with the individual and not with the data controllers or processors. This is a distinctly different legal view from the U.S. perspective.
- The GDPR applies to all online interactions with EU citizens no matter where in the world the business is taking place. It includes enhanced requirements regarding consent to use, and includes a “right to be forgotten” – or removed from the record — which may be problematic for some firms.
- GDPR is one of the few pieces of EU legislation that will be unaffected by Brexit. The UK has already has stated its commitment to the new approach to data protection, so the regulations principles are likely to apply even after the UK formally withdraws from the EU.
- The enforcement powers associated with the GDPR are significant. Fines for violations can reach up to 20 million euros or 4 percent of a firm’s global annual revenue, per violation, whichever is larger.
Preparing for GDPR is not simple
“The first step in preparation for GDPR is an acknowledgment that the solution will require legal, compliance, and IT architects to all work together to map and inventory all of their customer data which they hold, which is not an easy task,” Blank said. “Firms must then determine which data is processed or controlled from a legal perspective.
The strongest “hook” that the EU will have over U.S. firms is if the firm has operations, customers, branches or affiliates operating in the EU that share data with the U.S. entity.
Consent is essential
Many financial services firms have business relationships with individuals going back many years. Therefore, the area that may be the most pertinent for immediate review is consent, a core tenet of data protection law. Obtaining an individual’s consent in order to process his or her personal information may seem an easy way to establish a legal basis for processing. However, consent is not as straightforward a concept as it may at first appear, particularly when it is not clear what conditions must be met for that person’s consent to be effective.
The UK’s Information Commissioner’s Office (ICO) guidance makes clear that getting consent right is a fundamental. Getting it wrong will leave the firm subject to the highest tier of administrative fines. “If in doubt, we recommend you consider refreshing consent every two years,” the ICO has cautioned.
Compliance tips and next steps
In preparation of GDPR, financial services companies should start by first evaluating their current data protection systems, identifying what personal data they hold, and bringing together their legal and IT teams to develop a detailed implementation plan.
Firms should consider how much data is high risk and is subject to the GDPR. This includes data managed by third parties. They need to determine which data is deemed to be controlled or processed.
At a minimum, businesses should be prepared to invest more in their data security capabilities, either by hiring additional staff or upgrading existing technology. In many cases, financial firms many need to appoint a data protection officer to liaise directly with regulators.
A good data protection program will include a framework where compliance and legal departments manage or oversee workflow with a strong accountability component, as there will be a need to evidence the privacy program to regulators.
Smaller or midsize financial institutions may struggle to find what the exact compliance solution to GDPR is. However, ignoring it is not an option. Evidence of data protection, a process, accountability, and transparency with the regulators are crucial. European regulators lack authority to enter U.S. offices. The “hook” for EU regulators is often the presence of a branch or affiliate in the EU.
For additional content concerning the use of personal data in the digital age, be sure to explore the rest of our multimedia series: A new dawn for data privacy and transparency.