The General Data Protection Regulation, or GDPR, is the set of regulations adopted by the European Union to dictate how personal privacy is handled. It went into effect in May 2018, but many US financial organizations are still considering the vast implications the GDPR has on the way that they handle data.

While the EU obviously doesn't govern organizations outside of their jurisdiction. Most US financial institutions do business in Europe. The GDPR governs the way that companies use and store any personal data belonging to EU residents. This means that US financial organizations need to comply if they're doing any business in the EU or with European residents.

The US has its own laws which do govern privacy. In many cases, companies will already be in compliance with GDPR mandates. However, the GDPR is also a very involved, detailed, complicated piece of legislation. It's important for financial organizations to completely understand the GDPR in order to maintain compliance because you don't want to wind up stuck in a legal quagmire in Europe that impacts business dealings.
‍

Core Concepts

The GDPR was created to govern the way companies handled citizen's personal information and privacy. For financial firms, this means that there has to be a strict protocol for how you deal with personal information. Personal information can include names, emails, usernames, and certainly more sensitive information, such as identification or social security numbers, physical addresses, and health information.

Technology is a wonderful thing in that it's allowed companies the ability to personalize their approach with customers. On the negative side, though, the gathering of this information can be used in a less than scrupulous way, which is what regulations, such as the GDPR, guard against.

Most US based companies already followed strict guidelines with regard to personal information. But the GDPR's guidelines are complex and the possible fines are exorbitant — up to 4% of the company's revenue. It's important that you understand all facets of the GDPR in order to maintain compliance. These rules will often intersect with regulations that govern the physical location of your business, so some will already be met. In other cases, you'll want to go with the stricter compliance of the two so that you're always within the scope of the regulations.

Here are a few of the core concepts in the GDPR:
‍

Consent

This is a clear statement by the individual that their information can be used and kept in accordance with GDPR. This means that the customer will not only need to be notified of the types of information you have and need but that they will have to allow you to use it. GDPR regulations also stipulate that customers need to be in control of their own private information. They need to be able to see the information related to them and to remove anything that they feel shouldn't be stored or kept by a company.
‍

Breach Notification

According to the GDPR, any data breach needs to be reported to the proper authorities within 72 hours of when the breach occurred or when the company became aware of the breach.

Privacy by Design. This stipulation in the GDPR indicates that any new technology or process adopted by the company has to adhere to strict personal data regulations. Basically, the new technology needs to be planned with privacy considerations clearly followed.
‍

Privacy by Default

Privacy by default stipulates that any new product or service that the client opts into has to be set at the highest possible privacy settings by default.
‍

Privacy Impact Assessment

This document lays out the way a company processes personal information and includes the steps that the company has taken to stay in compliance with GDPR.

Transparency is a key concept wrapped into the GDPR. Customers need to know exactly what information is taken, kept, and stored so that they ultimately have control over their own data privacy. The only way to ensure that the person is in control of their data is to regulate that companies need to notify them about information they hold.

Companies can use data that doesn't correlate to a person directly. For instance, taking customer information but removing identifying features, such as name, username, etc, is actually encouraged.
‍

How Does the GDPR Impact Your Financial Organization's Functions?

The good news is that many of the stipulations included in the GDPR are already areas that US companies follow through our own regulatory compliance. The bad news is that the GDPR is very precise and not entirely simple. You may be following the spirit of the regulations but not meeting the other requirements. The first step is to clearly and meticulously go through all the GDPR requirements and compare them to other regulatory requirements you follow, as well as your own processes for dealing with personal information.

From there, you may need to upgrade some technologies, add documentation processes, or edit some of your current protocols.
‍

Contact Us Today to Learn More How Sumerge Team Can Help Your Organization Comply with GDPR