NEW YORK (Thomson Reuters Regulatory Intelligence) - U.S. financial services firms trying to manage regulations and guidance on data protection and cyber security from multiple jurisdictions, are about to face one of their biggest challenges yet when strict new European Union rules governing the use of personal information take effect.
The EU's General Data Protection Regulation(GDPR)(here), applies to all companies processing or controlling the personal information of EU residents, regardless of where those firms are located. The regulation is designed to protect the privacy rights of EU individuals. It was adopted in April 2016, and is set to go into effect May 25, 2018.
U.S. companies must take the EU rules seriously and begin implementing the necessary technologies, policies, and procedures as soon as possible to ensure they are ready to comply. They must also make sure that complying with GDPR doesn’t conflict with domestic U.S. regulations.
Many U.S. firms may be unready or even unaware that they will likely be subject to the new EU regulations.
“When it comes to GDPR preparedness, on a scale of zero to one hundred, there are quite a few, mostly smaller firms that are at zero, whereas most of the largest firms with international operations are somewhere between 90 and 95, and no one is at 100,” said Timothy Blank, managing partner of the Boston office of the law firm Dechert, LLP and head of its data privacy and cyber security practice areas.
Below are some suggestions for U.S. firms in advance of implementation of GDPR in May 2018.
OVERVIEW AND PENALTIES
The GDPR is an EU requirement with a deliberately global reach. It sets a new level of obligations and expectations regarding data protection, security, and management. The rules are more restrictive than state laws such as the New York Department of Financial Services' Cybersecurity Regulation that took effect in August 2017(here). Other states including California and Massachusetts are also known for their strict laws governing personal data.
Implementing GDPR has myriad ramifications for firms. A key principle is that the ownership of personal data is deemed to remain with the individual and not with the data controllers or processors. This is a distinctly different legal view from the U.S. perspective.
The GDPR applies to all online interactions with EU citizens no matter where in the world the business is taking place. It includes enhanced requirements regarding consent to use, and includes a “right to be forgotten” – or removed from the record -- which may be problematic for some firms.
GDPR is one of the few pieces of EU legislation that will be unaffected by Brexit. The United Kingdom already has stated its commitment to the new approach to data protection, so the regulations principles are likely to apply even after the UK formally withdraws from the EU.
The enforcement powers associated with the GDPR are significant. Fines for violations can reach up to 20 million Euros or 4 percent of a firm’s global annual revenue, per violation, whichever is larger.
PREPARING FOR GDPR IS NOT SIMPLE
“The first step in preparation for GDPR is an acknowledgment that the solution will require legal, compliance, and IT architects to all work together to map and inventory all of their customer data which they hold, which is not an easy task. Firms must then determine which data is processed or controlled from a legal perspective,” Blank told Regulatory Intelligence.
Jane Shvets, a partner with law firm Debevoise & Plimpton in London also told Regulatory Intelligence, “What we have seen from the point of view of U.S. firms who have limited operations in the EU it’s been a very patchy approach.”
Both attorneys agreed that for some clients the overall exposure might be low. However, the largest firms are taking the rule very seriously while others have yet to address the new regulations at all.
Shvets said, “When we consider borderline cases, we often advise clients about the risk of enforcement. The question we ask them is how would a data protection authority impose GDPR on you?”
Both agreed that the strongest “hook” that the EU will have over U.S. firms is if the firm has operations, customers, branches or affiliates operating in the EU that share data with the U.S. entity.
CONTROLLERS vs. PROCESSORS
Compliance with the rules will require an extensive mapping exercise will allow firms to understand how their data flows. Such an exercise will also show that a firm understands what type of data it has, whether customer or employee personal data or other sensitive data is shared and who has access to it. The firm can then determine one’s role in the process --- as a “data processor” or “controller” under GDPR definitions.
Article 4 of GDPR defines “controller” as the person or entity that determines the purposes and means of the processing of personal data. A “‘processor” is the person or entity that processes personal data on behalf of the controller.
“If you are a data controller you have significantly greater obligations under GDPR than a processor,” Blank said.
CONSENT IS ESSENTIAL
Many financial services firms such as brokers and asset managers have business relationships with individuals that go back many years. Therefore, the area that may be the most pertinent for immediate review is consent, a core tenet of data protection law. Obtaining an individual’s consent in order to process their personal information may seem an easy way to establish a legal basis for processing, however consent is not as straightforward a concept as it may at first appear, particularly when it is not clear what conditions must be met for that person’s consent to be effective.
The UK's Information Commissioner's Office (ICO) has updated its overview of the GDPR(here) and the enhanced requirements for consent under the GDPR. The guidance makes clear that getting consent right is a fundamental. Getting it wrong will leave the firm subject to the highest tier of administrative fines.
Consents need to be specific and granular, so the records equally need to be specific and granular to make clear exactly what the consent covers.
The UK ICO has stated that “if in doubt, we recommend you consider refreshing consent every two years.” Based on this, firms may decide to gain fresh consents from their entire customer base to ensure compliance ahead of the GDPR.
ACCOUNTABILITY IS ALSO CRUCIAL
The data protection principles set out in the GDPR are similar to those in the UK Data Protection Act of 1998(here), with additional detail and a new accountability requirement which requires firms to be able to show evidence of how they comply with the principles.
The GDPR explicitly promotes accountability, transparency, and governance. Firms are expected to adopt, test and maintain “comprehensive but proportionate governance measures.”
The objective is to minimize the risk of breaches and to uphold the protection of personal data. This will require firms to have more-detailed written policies and procedures, even if they already have good data protection governance measures.
The accountability principle requires that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles”.
To demonstrate compliance with the GDPR, the ICO has said firms must:
-- Implement appropriate technical and organizational measures that ensure and demonstrate the firm is in compliance. This may include internal data protection policies such as staff training, internal audits of processing activities and reviews of internal HR policies.
-- Maintain relevant documentation on processing activities.
-- Where appropriate, appoint a data protection officer.
-- Implement measures that meet the principles of data protection by design and data protection by default. Such measures could include data minimization, and transparency, allowing individuals to monitor processing, and creating and improving security features on a continuous basis.
-- Use data protection impact assessments where appropriate.
COMPLIANCE TIPS AND NEXT STEPS
At many U.S. financial firms, data protection rests with the compliance function. Elizabeth Denham, the UK Information Commissioner, said in a January 2017 speech on GDPR and accountability(here), "We're all going to have to change how we think about data protection."
In preparation of GDPR, financial services companies should start by first evaluating their current data protection systems, identifying what personal data they hold, and bringing together their legal and IT teams to develop a detailed implementation plan.
Firms should consider how much data is high risk and is subject to the GDPR. This includes data managed by third parties. They need to determine which data is deemed to be controlled or processed.
At a minimum, businesses should be prepared to invest more in their data security capabilities, either by hiring additional staff or upgrading existing technology. In many cases, financial firms many need to appoint a data protection officer to liaise directly with regulators.
A good data protection program will include a framework where compliance and legal departments manage or oversee workflow with a strong accountability component, as there will be a need to evidence the privacy program to regulators.
Smaller or midsize financial institutions may struggle to find what the exact compliance solution to GDPR is. However, ignoring it is not an option. Evidence of data protection, a process, accountability, and transparency with the regulators are crucial. European regulators lack authority to enter U.S. offices. The “hook,” for EU regulators, as the attorney put it, is often the presence of a branch or affiliate in the EU.
GDPR’s requirements for data protection, while stricter, are in line with most regulations in the United States. There is nothing in the Cybersecurity Framework of the U.S. National Institute of Standards and Technology(here) that conflicts with the data protection practices required by GDPR. The NIST standards have served as a basis for much U.S. regulatory guidance or riules on cyber securitiy.
A consideration of GDPR is now essential in developing a regulatory compliance framework for dealing with the vast amounts of personal data created and shared every day within a firm subject to its reach. As with all new regulations, there will be an adjustment period. But all signs point to EU regulators taking an active stance when it comes to GDPR compliance.
Firms should create a unified compliance regime that accommodates all regulatory obligations. Since GDPR is more extensive than U.S. requirements, it will require organizations to better manage the immense amounts of data collected through an information system, tracking it from creation and initial storage to the time when it’s no longer needed and is destroyed, while at the same time providing specific criteria for managing the data storage.
According to Blank, GDPR will likely take effect as scheduled. “There’s an outside chance because of MIFDII currently underway that firms and regulators might be a touch overwhelmed that there could be a delay but I would not count on it,” Blank said. U.S. companies should prepare now before the May 2018 deadline as the penalties are significant.
(Henry Engler, North American Regulatory Intelligence Editor, contributed to this article.)
(Todd Ehret is a Senior Regulatory Intelligence Expert for Thomson Reuters Regulatory Intelligence based in New York.)