How Does GDPR Affect Financial Institutions?
The EU's new data privacy rules will require financial services firms to undertake new steps to protect client information.
- by Mike Chapple
- Assistant professor of computer applications at the University of Notre Dame | October 30, 2018
When it passed the General Data Protection Regulation in 2016, the European Union sought to create a broad-based privacy regulation that establishes a consistent framework for handling personal information. The regulation affects organizations throughout the European Union and reaches across international borders to regulate use of that information worldwide.
Each of the 28 EU member states has its own implementing legislation that applies the GDPR framework within its own legal system and creates any exceptions that might exist in each country. For example, the Data Protection Act implements GDPR in the United Kingdom, while the similarly named Data Protection Act 2018 implements it in Ireland. Latvia has the Personal Data Processing Law, while Austria implemented GDPR by amending its Data Protection Act 2000.
Financial institutions are no strangers to privacy regulations, operating in one of the most heavily regulated industries in the world. The most important implications of GDPR for institutions already steeped in privacy practices will be to ensure that their current operations comply with GDPR’s provisions, to extend privacy practices to new categories of information and to determine that they have appropriate controls in place to demonstrate compliance to regulators and auditors.
What Types of Personal Information Does GDPR Cover?
GDPR creates two categories of personal information that companies must protect. The first broad category is simply “personal data,” which is defined in GDPR Article 4 as “any information relating to an identified or identifiable natural person.” This includes virtually any data collected about a person that can be somehow linked back to that person, even if it doesn’t have a clear identifier.
The second, and more restrictive, type of personal information consists of data elements that fit into the “special categories” of personal data defined in GDPR Article 9. These include information about racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. This category also includes genetic and biometric data and information about a person’s sexual activity or orientation. Organizations are prohibited from collecting or processing this type of information unless the use fits within one of 10 narrowly tailored exceptions.
It’s very important to note that, while GDPR is a European law, it has reach far beyond the borders of the European Union. While it clearly applies to the data processing activities of companies based in the EU, GDPR’s provisions also apply to any organizations that handle information covering EU residents. This includes financial institutions in the United States that have EU residents as customers.
What Effect Will It Have on Financial Organizations?
Financial institutions must comply with GDPR, as must any organization doing business in the European Union or with EU residents. However, financial institutions are uniquely positioned to comply with GDPR because they’ve already been subject to a wide variety of global privacy regulations. Many of the data governance practices already put in place by the financial industry serve as the basis for GDPR compliance programs.
The most significant effects of GDPR relate to the technical controls used to protect client information. At a high level, financial organizations will need to:
- Build an inventory of personal information held by the organization, including the nature of the information, the locations where it is stored and the purpose of the collection.
- Obtain clear consent prior to collecting and processing personal information.
- Establish processes to enforce an individual’s right to data erasure and right to be forgotten.
- Implement pseudonymization controls to remove a subject’s identity from personal information prior to sharing, whenever possible.
- Manage the flow of information to vendors and through third-party information systems.
- Develop breach notification processes.
These controls serve as the basis of a GDPR compliance program and also provide a solid foundation for protecting the privacy of personal information.
How Is the Regulation Being Enforced, and What Are the Penalties for Noncompliance?
Every EU member state designates a supervisory authority responsible for enforcing data privacy rules and investigating cases where organizations are not compliant with GDPR. The reason GDPR has attracted so much attention is that these supervisory authorities have the power to levy substantial fines. When assessing a fine, GDPR requires that the supervisory authority consider a number of factors, including:
- The nature, severity and duration of the infringement.
- The intentional or negligent character of the infringement.
- Any action taken by the infringing organization to mitigate the damage.
- The nature of the technical and business process controls put in place by the infringing organization.
- The past record of violation by the infringing organization and its degree of cooperation with the investigation.
The penalties assessed by GDPR are progressive. Larger organizations will face larger maximum fines, ensuring that the impact of a GDPR violation will be significant even for enormous multinational corporations. In the case of the most severe breaches, supervisory authorities may assess a fine of up to 20 million euros or 4 percent of the organization’s worldwide revenue, whichever is higher. For example, a multinational corporation with 100 billion euros of worldwide revenue would face a maximum fine of 4 billion euros.
To learn more about key technologies that can help financial institutions deal with GDPR, read the CDW white paper “Financial Institutions and GDPR: What You Need to Know.”