The General Data Protection Regulation (GDPR) accepted on May 28, 2018 by the EU has strengthened privacy laws concerning the processing of personal data. Businesses need to understand how this impacts them and if compliance is needed, in order to avoid potential risk.
This update is the most significant change in the EU’s data protection regulation since 1995 and the Data Protective Directive. The GDPR sends the message that the EU is taking consumer privacy issues seriously by increasing consumer rights. Financial institutions are specifically vulnerable. If financial institutions are found noncompliant, they could face penalty charges of up to four percent of annual global revenues, as stated by Forbes.
Below we have outlined some of the important elements of the GDPR and frequently asked questions.
1. Breach Notification
Businesses must notify the relevant supervisory authority within 72 hours of becoming aware of a data breach.
2. Right to Access
This gives the consumer the power to know if and how a business is processing their personal information. It has two stages. The controller of the data must check if personal information is being processed at all, and then report whether it is or not. If the information is being processed, then the right of access includes everything about the purposes of using the data and what categories it falls into.
3. Right to be Forgotten
The consumer has the right to order businesses or data controllers to erase private data and discontinue use of its processing. Data must be destroyed physically or permanently over-written with special software. If the controller of the data has made it public, then they must take reasonable measures to inform other controllers to erase the data.
More information about details and key issues included in the GDPR can be found here.
Does my business need to be in compliance?
If the business is located in the US, compliance is not mandatory.
However, any company that works with the European Union does have to comply with GDPR. It is important that both US and UK companies be knowledgeable about the updated regulations. One caveat that is often overlooked are employees located in the US that have corporate headquarters in the EU. There may be legal implications on this caveat.
What security measures do I need to follow regarding GDPR?
Businesses must have an incident policy in case of a breach. More transparency is required. Policies and procedures need to be tested and maintained consistently.
The bottom line is businesses - especially financial institutions - need to be transparent. Transparency with consumers about their personal data will keep businesses in compliance with GDPR. Transparency equals trust in the eyes of the consumer. Businesses have everything to gain and nothing to lose from taking the utmost precautions to mitigate risk and earn consumers' trust.
Visit 5 Things Financial Firms Need to Know About Cyber Security to learn more about what you need to do to protect your firm.