Covered entities include U.S. banks and non-depository financial institutions, such as broker-dealers, investment advisers and funds.
The General Data Protection Regulation (GDPR), which became effective in the European Union (EU) on May 25, 2018, establishes new rules relating to the use, processing, and protection of personal data concerning individuals located in the EU. For financial institutions, penalties for non-compliance with GDPR can range as high as 4 percent of your annual global revenue or 20 million euro, whichever is greater.
Who is covered
The GDPR applies to any person or entity (acting alone or together with others) that processes personal data of individuals located in the EU, regardless of where the entity or person is headquartered. This would include U.S. banks and non-depository financial institutions, such as money transmitters, broker-dealers, investment advisers, funds, credit reporting agencies, and other entities that receive information about EU residents.
While the regulation applies to entities of various types and sizes, it provides certain exceptions for entities that employ fewer than 250 employees.
The GDPR does not apply to persons processing personal data exclusively for personal or household purposes.
What types of data are covered
The types of personal data covered include any identifiable information relating to a natural person “such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” Additionally, there is no exclusion under the GDPR for publicly available information.
For financial institutions, this would potentially include any personal information that is collected from EU residents, including customer names, addresses, Social Security numbers, employment information, assets and liabilities, transaction history, income and expenses, and information collected for Know-Your-Customer (KYC) or other anti-money laundering purposes.
New data subject rights
The GDPR provides consumers with several new privacy and data management rights, including among other things, the right to be informed about the legal purpose for which data is processed, right to access and request a copy of personal data, right to have inaccurate personal data rectified, and the right to have personal information erased.
U.S. Financial Privacy Regulations versus EU GDPR
The current landscape of U.S. privacy and data security regulation consists of a patchwork of federal and state laws intended to promote transparency, privacy, and data protection.
For banks and other financial institutions transacting business in Florida, the laws and regulations governing the use and protection of personal data collected from customers are principally found in the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), the Right to Financial Privacy Act (RTFPA) and Florida law.
GDPR imposes a number of requirements on covered financial institutions that exceed the scope of existing U.S. financial privacy law. Download our “GDPR vs. U.S. Financial Privacy Regulations” matrix for a detailed comparison of the compliance requirements.
The GDPR is already having a significant impact on the financial services industry. Contact us to learn more about how your financial institution might be impacted by the new requirements. If your institution is affected by GDPR, our team can help you develop a plan to assess the current state of your institution’s compliance program against GDPR’s requirements and address any gaps that may exist in your current compliance program.