42 SEPTEMBER / OCTOBER 2018 OPERATIONS / TECHNOLOGY Two years ago, the European Union took an unprecedented step toward resolving the conflict between big data and privacy. Passage of the General Data Protection Regulation (GDPR) ushered in a new era for individual privacy rights, but it created a potential compliance nightmare for organizations that collect and handle data. According to the official GDPR website,1 “The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established.” The 1995 directive provided an answer to the division of privacy regulations across the EU and, overall, both the directive and GDPR hold tight to the idea that privacy is a fundamental human right. GDPR, effective May 25, 2018, has far-reaching implications. Companies in the EU have spent the past 24 months preparing for this date. However, GDPR doesn’t exclusively affect businesses in the EU, and that’s left many American financial institutions unaware of, or uncertain about, their obligation to it. Is Your Institution on the Hook for GDPR? The GDPR website states that the law “not only applies to organizations located within the EU but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects.” Given this long reach, some U.S. financial institutions fall under the GDPR umbrella. But which ones? The International Association of Privacy Professionals2 recommends the following three-question test to determine GDPR liability. A “yes” to any of the three indicates a GDPR obligation: 1. Do you have a physical presence in the EU? Even if it’s only a small branch or office inside the EU, you are bound by GDPR. 2. Do you sell your products or services to EU citizens? If you have a premeditated strategy to sell to persons or have customers located in the EU, GDPR applies. 3. Do you use advertising technology that tracks and profiles EU citizens? This test has the most potential to trip up American institutions. Consider whether your advertising strategy regularly targets EU citizens for products or services. Security and Privacy Principles of GDPR At its core, GDPR establishes a set of three principles to protect consumer data and the corresponding privacy of its owners. The language around GDPR applies to data controllers (“controllers”), which include financial institutions, as well as data processors (“processors”), which include all organizations that process data for controllers, such as a bank’s core processor. The principles, which apply to controllers and processors, can be organized according to the following three categories: General Data Protection Regulation A banker’s guide Keith Monson Chief Risk Officer CSI keith.monson@csiweb.com CSI Secure Connect and CSI WatchDOG Social Compliance are Preferred Service Providers of the Indiana Bankers Association.
RkJQdWJsaXNoZXIy MTg3NDExNQ==