If you think your financial institution does not have to comply with the European Union’s General Data Protection Regulation because you don’t serve any EU residents, not only would you would be very wrong, this mistake could be very costly.
The EU GDPR, which took effect on May 25, will impact every U.S. business that processes the “personal data” from EU residents. The regulation focuses on the processing of the data, not the location of the business.
What Does the EU GDPR Require?
The EU GDPR requires entities that process the data of EU residents to obtain specific consent to do so (unless an exception applies). It also provides EU residents with the “right to be forgotten,” allowing such individuals the right to request the deletion of their data.
To carry out these requirements, the regulation requires entities to create data protection policies and, when the entity requires the monitoring of data subjects “on a large scale” (an undefined term), the appointment of a data protection officer.
The regulation requires also entities to notify the EU regulators no later than 72 hours after the entity becomes aware of the "accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to” personal data, unless harm to a data subject is unlikely. Notice must be provided to data subjects only when a breach results in a high risk to their respective rights and freedoms.
What is “Personal Data” and What is Required for Processing?
“Personal data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing of personal data is lawful only if one of the following applies:
If one of these lawful purposes does not apply, the entity must first obtain the individual’s specific consent before his/her personal data can be processed.
How Must Consent Be Obtained?
Consent must be specific, and the request for consent must be separate from any other written text. The language used must be “clear and plain.”
The data subject also has the right to withdraw this consent at any time, in a manner as easy as it was to provide it.
What is the Right to Be Forgotten?
EU residents have the right to request the deletion of their data without undue delay when one of the following applies:
Your financial institution’s record retention requirements will override an EU resident’s request to delete his/her information, but information not required to be retained for a specific length of time will have to be deleted upon request.
What are the Penalties for Non-Compliance?
The penalties for non-compliance with the GDPR violations are significant. Fines up to €20 million (approximately $25 million) or 4 percent of global annual turnover in the previous financial year, whichever is higher, will be assessed against entities found to have inadequately safeguarded EU resident personal data.
No. Regulation P requires an opt-out for sharing information with non-affiliated third parties for marketing purposes, with exceptions for affiliates and those with whom the institution has a joint marketing agreement.
The GDPR requires consent from EU residents before any information can be processed. Therefore, the privacy notice provided to members/customers will be insufficient to comply with the GDPR.
What Must a Credit Union Do to Prepare and Comply?
1. Amend existing security policies to include the GDPR requirements.
2. Appoint a data protection officer, or at least someone who is familiar with the information obtained and processed, as well as the GDPR requirements.
5. Create a specific consent form for the processing of EU resident personal data (e.g., for marketing purposes, etc.) for EU resident members/customers. Existing EU resident members/customers are not grandfathered, which means consent must be obtained or existing members/customers as well as new ones.
6. Amend marketing plans to ensure EU residents are not included in any mass mailings or email campaigns until their individual consent forms are signed.
7. Review and amend third-party contracts for all third parties that collect and process data on behalf of the financial institution. Contracts should be amended to provide specifically how data is protected, as well as the requirements and responsibilities for incident response notification.