By Sue Bury, President &  CEO 1STWEST Background Due Diligence

If you’re a bank or financial service provider that does business or stores data in Europe, there’s an elephant in the room you may not be aware of. A new law is set to take effect in the EU that will radically alter the privacy landscape.

In less than two months, companies doing business in the European Union, or that handle the personal data of EU citizens (even briefly), will find themselves navigating a stringent new set of rules designed to protect the privacy rights of individuals. The General Data Protection Regulation (GDPR) – which takes effect on May 25, 2018 – will impose increased responsibility and accountability on millions of businesses. For banks and financial service providers that conduct cross-border deals, background checks, or transfer funds within EU nations, even knowing where to begin to get ready can seem like a daunting task.

If you’re just now getting started, you’re already behind the curve. And you’re not alone. The elephant in the room, according to recent surveys of businesses, is that 35% of U.S. organizations already don’t believe they will be fully prepared for GDPR in time for the deadline.

But that doesn’t mean there aren’t some critical steps that can be taken to limit the risk of noncompliance (which can be costly, with fines as high as €20 million, or 4% of a company’s
global revenue).

It would be helpful to start with a brief primer on GDPR – which some commentators have called the most important change to data privacy rules in more than two decades. The new rules impose a strict framework for protecting the personal information of individuals in an age of big data.

What does “personal data” cover? The short answer, is everything. Under the EU’s new language, personal data encompasses “any information relating to an individual, whether it relates to his or her private, professional or public life.”

That means everything from a person’s name to their medical information is now subject to special handling by your own firm, as well as any third-party vendors with whom you work. So, as you prepare for GDPR compliance, it is incumbent on you to ensure your data is protected adequately by everyone you share it with – such as brokers, marketing firms and credit reporting agencies.

It’s important to think broadly about how this may apply to you. For instance, fleet and agricultural leasing firms that employ data analytics and location data in a bundled service offering must be cognizant of how and where that data is stored and who has access to it.

There are many components of the GDPR, but several in particular are especially important for banks and financial service providers.

For instance, GDPR mandates that firms have express consent from an individual before storing or sharing personal information. What that means is financial service providers can no longer count on the default opt-in type privacy policies that many companies currently employ. Instead privacy features must be incorporated “by design” in the transaction process, and customers must be made aware at each stage of the process who will have access to their information. The keyword is transparency; always be upfront with clients about how their data will be used. And make sure written internal policies are in place and frequently revisited to ensure continued compliance.

Also, under the new rules, individuals will now have a right to “be forgotten.” In other words, if a client opts out of your service, it is your responsibility to provide access to any information you have upon that individual’s request, and firms are forbidden to retain data unless there is an explicit justification to do so (for instance, where legal or regulatory guidelines require e-data retention).

The new law also strengthens information security requirements, providing a window of just 72 hours for firms to report a data breach from the time it is discovered.

Complying with GDPR could be challenging – particularly for firms that have developed proprietary systems that use legacy technology. For instance, it could require employing additional analytics that allow more granular data “scraping” if needed. Protecting the integrity of personal information and providing timely updates on data breaches could also necessitate the hiring of new tech personnel. Some large companies are even being encouraged to consider bringing in a Data Protection Officer (DPO) to oversee all the moving parts of GDPR.

While it’s understandable that some will view the introduction of these new guidelines with trepidation, financial service providers that already foster a culture of sensitivity to data security and privacy may find that GDPR provides a valuable means of differentiating themselves from their competitors. Instead of fretting the increased privacy protections, familiarize yourself with the changes, be prepared and make information privacy your new value-added service.