<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=142903126066768&amp;ev=PageView&amp;noscript=1">

Is Your Bank Ready for GDPR? It's Coming May 25

May 16, 2018 3:30:00 AM

The General Data Protection Regulation (GDPR) is perhaps the most important and significant change occurring in terms of bank regulation changes this year. On May 25, this new framework will establish very specific rules for handling, access, and protecting personal data. It applies only to European Union residents, but the implications are far-reaching. As you work to advance your data usage to improve business operations, it will be very important for banks to also put in place these compliance requirements.
 

What Does GDPR Mean for Banks?

In short, it’s complex. The goal is to help provide protection for consumers as more data becomes accessible and in play. Technology continues to change at very rapid rates. It has become nearly impossible for slow-moving government oversight to monitor companies of all types and how they are using data. Yet, this new regulation creates a blanket level of protection for the consumer. Here’s a quick breakdown of what the regulation is and who is impacted.

Is Your Bank Impacted?

The short answer here is – probably. If you provide services, connect with European residents, or you are monitoring the data or usage activities of European residents, you are implicated by GDRP. Even if you simply monitor the behavior of European residents, this new law applies.

What Does It Require?

Again, the short answer here is – regulators want to know what information you are using and sharing. This is a very broad implication as well. Information such as bank details and personal identification is something your bank is already working to protect. However, this regulation goes further. It applies to photos, email addresses, social media tools, and even the computer IP address your website stores to allow your customers to log in with ease.

Will Data Become Inaccessible?

Most likely, no. The goal of GDPR is not to eliminate access to data. Rather, it is to give people information about who shares his or her data as well as how the information is being used.

What Do You Have to Do?

This depends on where you stand in terms of data protection and analysis. Most financial institutions should have already been taking, or have already completed, a thorough analysis of their operations in regards to data. This should include:

  • A comprehensive security audit
  • Employee education on the new regulations
  • Updating and modernizing privacy policies
  • Creating a plan with an IT team to address data usage and storage
  • Working to address how data is obtained and processed within your organization – and much more. 

What About Security?

A significant component of GDPR is providing privacy and protection for any data. There are several key components here:

  • Common “opt-out” approaches to gathering data are not acceptable any longer. Rather, the customer must provide a “statement of clear affirmative action” before data can be obtained.
  • Long, complicated agreements with wording buried into them are not acceptable.
  • It must be clear why the data is being obtained in clear language. And, the use of data must be limited as such.
  • Consumers must have a way of withdrawing consent. This component “the right to be forgotten” could be one of the more challenging components to the new regulation since data shared can extend to countless points.
  • Customers must also be given access to data being used when requested.
  • Notification for any security breach must occur within 72 hours. Individuals must be notified.
  • Large-scale systemic monitoring will require data protection officers to monitor access and security.

These are just some of the major components of the regulation. Financial institutions will need to pull apart their complex data usage methods to truly understand how they are using data, why they are using it, and how they can better protect it. 

Many U.S. Banks Are Not Ready

Some industry experts expect U.S. banks who have international operations to simply not be ready for the new requirements. Banks who have taken steps to implement compliance requirements may be safe from concern but only if they have taken steps towards implementing compliance requirements. It is a type of good faith effort regulators will hold. For others, it can be very difficult to get caught up at this point without significant effort.

Does this mean you should shop your data efforts? The answer here is  absolutely not. While the initial months of GDPR will be challenging until efforts can be streamlined and modernized, data is an incredibly valuable tool. More so, as best practices are developed, these data protections will not limit but could enhance the quality of the data you use and access.

Written by Sandy Baker