How Does GDPR Affect Financial Institutions?

When it passed the General Data Protection Regulation in 2016, the European Union sought to create a broad-based privacy regulation that establishes a consistent framework for handling personal information. The regulation affects organizations throughout the European Union and reaches across international borders to regulate use of that information worldwide.

Each of the 28 EU member states has its own implementing legislation that applies the GDPR framework within its own legal system and creates any exceptions that might exist in each country. For example, the Data Protection Act implements GDPR in the United Kingdom, while the similarly named Data Protection Act 2018 implements it in Ireland. Latvia has the Personal Data Processing Law, while Austria implemented GDPR by amending its Data Protection Act 2000.

Financial institutions are no strangers to privacy regulations, operating in one of the most heavily regulated industries in the world. The most important implications of GDPR for institutions already steeped in privacy practices will be to ensure that their current operations comply with GDPR’s provisions, to extend privacy practices to new categories of information and to determine that they have appropriate controls in place to demonstrate compliance to regulators and auditors.

What Types of Personal Information Does GDPR Cover?

GDPR creates two categories of personal information that companies must protect. The first broad category is simply “personal data,” which is defined in GDPR Article 4 as “any information relating to an identified or identifiable natural person.” This includes virtually any data collected about a person that can be somehow linked back to that person, even if it doesn’t have a clear identifier.

The second, and more restrictive, type of personal information consists of data elements that fit into the “special categories” of personal data defined in GDPR Article 9. These include information about racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. This category also includes genetic and biometric data and information about a person’s sexual activity or orientation. Organizations are prohibited from collecting or processing this type of information unless the use fits within one of 10 narrowly tailored exceptions.

It’s very important to note that, while GDPR is a European law, it has reach far beyond the borders of the European Union. While it clearly applies to the data processing activities of companies based in the EU, GDPR’s provisions also apply to any organizations that handle information covering EU residents. This includes financial institutions in the United States that have EU residents as customers.

What Effect Will It Have on Financial Organizations?

Financial institutions must comply with GDPR, as must any organization doing business in the European Union or with EU residents. However, financial institutions are uniquely positioned to comply with GDPR because they’ve already been subject to a wide variety of global privacy regulations. Many of the data governance practices already put in place by the financial industry serve as the basis for GDPR compliance programs.

The most significant effects of GDPR relate to the technical controls used to protect client information. At a high level, financial organizations will need to:

• Build an inventory of personal information held by the organization, including the nature of the information, the locations where it is stored and the purpose of the collection.
• Obtain clear consent prior to collecting and processing personal information.
• Establish processes to enforce an individual’s right to data erasure and right to be forgotten.
• Implement pseudonymization controls to remove a subject’s identity from personal information prior to sharing, whenever possible.
• Manage the flow of information to vendors and through third-party information systems.
• Develop breach notification processes.

These controls serve as the basis of a GDPR compliance program and also provide a solid foundation for protecting the privacy of personal information.

MKT25094