All may be relatively quiet on the regulatory front in the U.S., but this May new privacy regulations are taking effect in the European Union, which will likely impact even the most provincial U.S. financial institutions.
The E.U.’s General Data Protection Regulation (GDPR), approved in April 2016, is much broader than the U.S.’s most well-known privacy regulations, the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act of 1996 (HIPPA). GDPR will be implemented on May 25, 2018. It protects any information that links to an individual, including names, email addresses, IP addresses, photos, social networking sites in addition to what Americans consider sensitive customer data. Breaches must be disclosed within 72 hours.
The bad news for U.S. institutions is that GDPR doesn’t just apply to E.U. members. It also applies to organizations outside the E.U. that offer goods or services or monitor the behavior of EU data subjects. Simply put, it applies to all companies processing and holding the personal data of subjects residing in the E.U. regardless of the company’s location. This includes both the controller of the data, which is responsible for storage, use and disclosure policies and procedures, and the processor, which houses the data for the controller.
The worse news is that fines are huge: up to four percent of gross revenues for the most egregious violations, including insufficient customer consent to process and two percent of gross revenues for violations like not having records in order or failing to promptly notify customers and authorities of a breach.
Don’t think this includes you? Think again. These strict privacy regulations can apply to financial institutions in the United States.
You may not do business overseas directly, but your customers might.
From global and internet banking to peer-to-peer payment and bill pay, your vendors may be conducting business operations or transactions with individuals in the E.U. If your vendor gets fined under the regulations, the financial damage could have a major impact on its ability to operate. It could also implicate your institution because you are responsible for the actions of your vendors taken in your name.
Make sure your vendors are ready and limit liability with four key questions:
Taking the time to ask these questions can save you from potentially larger issues. Don’t assume GDPR doesn’t impact you.