What is GDPR, and why should you care?

Community banks with customers living or traveling in the European Union are subject to the EU’s General Data Protection Regulation (GDPR).

Could the EU’s recently implemented consumer-privacy regulation soon touch your shores? Here’s what you need to know.

By Mary Thorson Wright

Global data protection.

That’s a lot to wrap your head around. But under a new set of rules enacted by the European Union (EU), U.S. community banks may need to broaden their view of the risk associated with collecting and storing personal data.

On May 25, 2018, compliance became mandatory for the EU’s General Data Protection Regulation (GDPR). The GDPR sets new standards around protecting and using customer data, and consumers’ rights regarding their data.

“People are more aware and more sensitive about the privacy of their financial and personal information.”
—Prabhash Shrestha, ICBA

“Data protection is more important than ever, and people are more aware and more sensitive about the privacy of their financial and personal information,” observes Prabhash Shrestha, ICBA executive vice president and chief digital strategy officer. “The growing list of high-profile companies suffering data breaches that are in the headlines, such as Target and Home Depot, and Facebook’s recent misuse of customer data continue to heighten data security concerns.”

In an RSA survey conducted Dec. 15, 2017, through Jan. 3, 2018, 80 percent of respondents said lost banking and financial data is of top concern, 76 percent said they were worried about lost security information, and 72 percent cited identity theft as a concern.

Quick stat


Poll respondents who considered lost banking and financial data a top concern

While the concept of GDPR may seem oceans away, underestimating exposure could trigger high penalties for noncompliance, and failure to comply can result in a fine of up to €20 million (about $26 million) or 4 percent of the company’s global revenue, whichever is larger. “On top of the heavy monetary penalty, the GDPR imposes a 72-hour deadline to report breaches, beginning the moment you know a breach occurred,” adds Shrestha.

GDPR mandates that companies get affirmative customer consent before processing or storing customer data, and they must clearly explain how the information will be used, and for how long it will be used and stored. GDPR supports the data minimalization principle, requiring companies to only use and keep the personal data that is needed at any given time for any given purpose. Customers have the right to withdraw consent at any time.

Who does GDPR apply to?

According to the EU Charter of Fundamental Rights, the new rule applies broadly to EU citizens or customers for transactions that occur when the covered person is within one of the 28 current EU member states. It applies to European businesses that work with EU citizens’ customer data and to any entities that work with those businesses. It also applies to entities that collect or process the personal data of individuals located inside the EU, or offer goods or services to EU residents, regardless of the company’s location.

The GDPR offers guidance on the protection afforded by the regulation that “[it] should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data.” It does not, however, stipulate the impact of the rules on people located in the EU as tourists, on foreign work assignments or as overseas service members. When a U.S. citizen travels to the EU, for instance, access to a bank’s online banking systems could potentially trigger GDPR compliance. U.S. citizens living in the EU would be covered.

New rules from one entity often send ripples across regulatory agencies, broadening oversight and spreading regulatory requirements. Community banks should stay abreast of communication from U.S. regulators about GDPR or other privacy and data security changes. While community banks may assume they have no obligations under GDPR, they should conduct due diligence to assess any risk exposure, including:

  • learning about the GDPR and including the stakeholders from areas potentially affected, including legal, compliance, IT and information security, marketing and customer relations
  • conducting a GDPR risk assessment and monitoring for changes and clarifications to the coverage of rules that would affect the risk assessment
  • building GDPR checks into routine reviews of policies and procedures
  • building GDPR into periodic compliance and internal audit procedures
  • reviewing data breach procedures. GDPR requires all data breaches to be reported within 72 hours.

Community banks should not underestimate their potential for GDPR compliance risk. They should take steps to confirm the status of account holders, as well as their own policies and procedures for opening and maintaining accounts relative to potential GDPR exposure. “With the rising concern globally about cybersecurity, privacy and identity theft, community banks cannot afford to leave risk mitigation to chance,” concludes Shrestha. “They must measure it proactively and act accordingly.”

Mary Thorson Wright, a former Federal Reserve examiner, is a financial writer in Virginia.