Pub. 9 2018 Issue 2

www.wvbankers.org 26 West Virginia Banker General Data Protection Regulation— What Does This Mean for My Institution? By Max Tipton, Cheryl Buntin, AaSys Group, Inc. T he European Union’s Gener- al Data Protection Regulation (GDPR) is akin to GLBA’s privacy protections on steroids! GDPR is extraterritorial in that it covers EU citizens residing in Europe as well as EU citizens while they are living in or visiting the United States. The ruling specifically applies to those entities pro- cessing personal and sensitive personal data for EU citizens. “Processing” has a very broad meaning within this regula- tion and applies to activities occurring inside or outside the EU. Activities impacting data, include: “collection, re- cording, organization, structuring, stor- age, adaptation or alteration, retrieval, consultation, use, disclosure by transmis- sion, dissemination, or otherwise making available … erasure or destruction.” 1 If your institution currently works with firms in the European Union or has clients who reside in the EU but spend time in the United States, GDPR compliance is applicable. Due to the storage of data and data transmission being included in the definition of processing, the regu- lation broadens the potential impact to financial institution’s customers. Data subjects (i.e., your clients) have specific rights as enumerated under GDPR, this includes: 1. Information about how their data will be processed 2. Access to data being stored 3. The right to have their data sent to themselves or third parties 4. The right to be notified if their data is sent to a third party 5. The right to correct errors 6. The right to be forgotten (informa- tion deleted) GDPR restricts the profiling of custom- ers based on the automated process- ing of their data. This regulation also covers publicly available information that contains personal or sensitive data. Personal data can include “name, an identification number, location data, an online identifier or … factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” 2 GDPR dictates that encryption of data is required. Additionally, data breach no- tification within 72 hours of the breach is required for processors. It is important to understand the role of the financial institution in GDPR compli- ance. Financial institutions are deemed “controllers” meaning that they decide the means and purpose of processing a client’s personal data. “Processors” constitute third party vendors (i.e., core vendors, internet and mobile banking providers) that perform the actual pro- cessing. While third-party vendors have a higher level of liability, the controllers retain primary responsibility for the protection of personal data.