Many U.S. firms, including credit unions, that do business with European Union customers and citizens/residents now need to deal with the EU’s General Data Protection Regulation, effective May 25, 2018.
The GDPR now rules over data protection and privacy for all individuals within the European Union. It addresses the export of personal data outside and ensures there is a single set of criteria to protect individuals and help companies understand compliance issues when it comes to personally identifiable information.
The GDPR does not specifically contain either the word “citizen” or “resident”, but instead refers to “data subjects” and “natural persons.” Some legal experts interpret the regulation as pertaining to the processing of data to anybody, residing anyplace within the EU’s legal borders regardless of citizenship.
GDPR not only goes into effect across all 28 EU nations but the United Kingdom plans to adopt the same standards as well despite Brexit.
The International Association of Information Technology Asset Managers identified the top five ways the new EU regulations affects organizations:
- If a company experiences a data breach, it must report it within 72 hours of the company becoming aware of the incident.
- The EU determined that an individual is necessary to ensure maintenance of data privacy and control at each company doing business in Europe.
- The data controller bears the burden of proof for the data subject’s consent for specified purposes.
- Any organization that handles personal EU resident information, or receives data third hand, such as phone numbers, addresses or any other identifying information will be subject to the GDPR.
The fines for not complying with GDPR are up to 20 million Euros (about $23.5 million) per violation or up to 4% of the organization’s annual revenue, whichever is higher. In a breach scenario, the fines per breach per person are 10 million Euros (about $11.8 million) or up to 2% of the financial institution’s revenue.
Eighty-five percent of firms in Europe and the U.S. will not be ready on time and 25% will not be fully compliant by the end of this year, according to a report from Capgemini’s Digital Transformation Institute, which surveyed 1,000 executives and 6,000 consumers across eight markets. The report revealed 63% of U.S. respondents will be largely or completely compliant.
Financial institutions especially, because they are prime targets of expected lawsuits, must have a comprehensive approach and plan for managing and securing European consumer data.
“If you are a credit union in the U.S. you are likely going to have to comply with this law if you have any members (even if it is only one or two) who moved to Europe or live in Europe.” Michael S. Edwards, vice president and general counsel for the World Council of Credit Unions, said last year.
“Credit Unions better be ready to deal with GDPR even if they think they don’t have to,” Dan Clarke, chief operating officer at the $3.3 Portsmouth, N.H.-based Service Credit Union, said. With some 230,000 members consisting of those living or working nearby and personnel on military bases, including 14 branches in Germany, Service is ready.
Clarke suggested an airman from the Air Force residing in Germany, even though a U.S. Citizen, would fall under GDPR protection. The same goes for European Union citizens studying in the U.S. with credit union accounts. Either way Service wanted to make sure the credit union complied. “All of the contracts that we do from this point on have some sort of GDPR disclosure in them.”
Gary Southwell, GM/VP security products division at Boston-based CSPi, advised credit unions must be aware of whose information they have and ensure its protection. “If credit unions have European subjects’ information it then applies to them.” CSPi, among many fintech firms developing ways to assist organizations with GDPR requirements, created Myricom nVoy Series Recorder, which allows specialists to perform forensic analysis.
Southwell added, “For companies in regulated industries it is even more important to solve these challenges to adhere to data privacy laws, such as the EU’s GDPR. We took a much more pragmatic approach to the problem, placing focus on the data that must be protected at all costs, an organization’s PII, financial transactions, and/or intellectual property.”