Pub 8 2018-2019 Issue 1

O V E R A C E N T U R Y : B U I L D I N G B E T T E R B A N K S - H E L P I N G C O L O R A D A N S R E A L I Z E D R E A M S July • August 2018 11 just affect businesses in the EU, and that’s left many American financial institutions unaware of—or uncertain about—their obligation to it. Is Your Institution on the Hook for GDPR? The GDPR website states that the law, “not only applies to organizations located within the EU but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects.” Given this long reach, some U.S. financial institutions fall under the GDPR umbrella. But which ones? The International Association of Privacy Profes- sionals (IAPP) recommends the following three-question test to determine GDPR liability. A “yes” to any of the three indicates a GDPR obligation. 1. Do you have a physical presence in the EU? Even if it’s just a small branch or office inside the EU, you are bound by GDPR. 2. Do you sell your products or services to EU citizens? If you have a premeditated strategy to sell to persons or have customers located in the EU, GDPR applies. 3. Do you use advertising technology that tracks and profiles EU citizens? This test has the most potential to trip up American institutions. Consider whether your advertising strategy regularly targets EU citizens for products or services. Security and Privacy Principles of GDPR At its core, GDPR establishes a set of three principles to protect consumer data and the corresponding privacy of its owners. The language around GDPR applies to data controllers (controllers), which include financial institutions, as well as data processors (processors), which include all organizations that process data for controllers, such as a bank’s core processor. The three principles, which apply to controllers and processors, can be organized according to the following three categories: 1. Data Processing: New York University School of Law’s primer on GDPR outlines the principles that specifically apply to how controllers and processors obtain and handle the data of EU subjects, including the following: • Legal basis: Controllers must meet one of five lawful bases for processing a subject’s data. It must: be needed to fulfill a contract; meet compliance obligations; protect the individual’s “vital interests”; perform a task in the public interest; and/or meet the legitimate interests of the controller, unless that is outweighed by the individ- ual’s rights. • Express consent: Without such legal basis, control- lers must obtain an individual’s consent, which NYU explains “must be freely given, specific, informed and unambiguous.” • Delegation toprocessors and sub-processors: To outsource to a processor, a controllermust obtainwritten guarantees that the processor and any sub-processors will comply with GDPR. • Contract language and obligations: Contracts be- tween controllers and processorsmust specifically detail the subject matter, duration, purpose, data type, data subject categories and eachparty’s obligations and rights. • Breach notification: If breached, controllers and processers must notify regulatory authorities “without undue delay” and within 72 hours of discovery. 2. Individual Rights: GDPR grants individuals substan- tial data privacy rights. Individuals may exercise the following rights, which controllers and processors must fulfill starting May 25, 2018: • Data access: The right to request a copy of their per- sonal data from a controller. • Data correction and erasure: The right to request that any errors be corrected or to be forgotten, i.e. have their data erased. • Data portability: The right to transfer data to another controller. 3. Governance: Chief among the GDPR principles that relate to accountability are the following: • Record keeping: Both controllers and processors must keep a record of all processing activities, and con- trollers must also conduct inventory audits of the same. • Data protection officer: Controllers and processors that process and/or monitor data on a large scale are required to appoint an officer and grant them the req - uisite authority to fulfill that role. • Data protection impact assessment: Those in- volved in high-risk processing are required to conduct this assessment. • Designated representatives: Some controllers and processors not located in the EU, but subject to GDPR, must name a representative in the member state where the data is processed or monitored. Even if, after conducting the above analysis, your institution concludes that it isn’t covered under GDPR, you still need to understand the law’s broader implications. There is good reason to believe that the U.S. will follow the EU and enact something similar to GDPR in the coming years. Although it is difficult to predict exactly when or how such a law may come to pass, the 2017 Equifax breach and more recent privacy concerns at Facebook are but two examples of incidents that will likely spur consumers to push for greater privacy protections, and legislators to answer that call. GDPR liable or not, financial institutions should invest in ways to better protect customer data and privacy. Those that do will not only be better prepared for existing and future reg- ulation—but also they will protect their reputations as trusted resources. n Keith Monson serves as CSI’s chief risk officer. In this role, Monson maintains an enterprisewide compliance framework for risk as- sessment and reporting, as well as other key components of CSI’s corporate compliance program. With nearly 25 years of banking experience, he has a wide range of expertise in the compliance arena, having served as chief compliance officer for both large and small financial institutions.