Pub. 9 2018 Issue 2

Summer 2018 27 West Virginia Banker Sometimes you don’t know you need something better... Until it comes along. At The Bankers’ Bank of Kentucky, our goal is to show you what you and your clients may be missing. We’ve partnered with Elavon to provide Merchant Processing Solutions and we want to build a partnership with you for one simple reason… You deserve the best. Contact The Bankers’ Bank of Kentucky for your Payment Processing needs. • We are consistently rated among the top global payment providers • We process more than 3 billion transactions annually around the world • Our call centers are open 24/7, and our team is always ready to help • We partner with 1,700 financial institutions P.O. BOX 713, FRANKFORT, KENTUCKY 40602-0713 www.bbky.com David Fletcher dfletcher@bbky.com 304-389-4431 ©2018 Elavon. All rights reserved Any technology questions can be directed to Max Tipton (mtipton@aasysgroup.com; (304) 230-0384) or Cheryl Buntin (cbuntin@aasysgroup.com; (813) 309-4482). Another requirement of GDPR is the need for a Data Protec- tion Officer (DPO) within your institution. The DPO is tasked with the responsibility of ensuring that customer information is protected according to GDPR standards The requirement for a DPO has changed, and our final understanding of what is to be expected may continue to change with codification. While the regulation mandates that entities who process data “on a large scale” are required to employ a protection officer, questions remain as to the exact definition of “large scale.” In terms of compliance, the first step is to understand if the financial institution has exposure. A privacy risk assessment can help an institution understand how personal and sensitive information is collected and used. If you determine that your institution has affected clients, the next step is a comprehen- sive data map. To properly protect information, you have to understand where and how data enters the network, how it is used and how and where it is stored. This discovery process is valuable, regardless if there are GDPR ramifications. Another area that requires specific review is the 72-hour breach notification. Seventy-two hours is not a lot of time when you are faced with identifying a breach, deciding if there is due harm inflicted on impacted users, and notifying these users. To meet this mandate, it is critical that incident response plans are fleshed out, third-party forensic vendors are contracted, and personnel are trained for immediate action. Financial Institutions must concentrate on improving detection processes. Notification responses should also be created and approved by compliance, management and legal. In other words, advanced preparation for GDPR is a must. Today, many institutions create post-mortem reports after incidents; this will not be an option to meet GDPR com- pliance. The penalties for non-compliance are steep. Violators may be fined $20 million, or 4% of annual global turnover, whichever is greater. Financial Institutions can run afoul of GDPR if cus- tomer’s private or sensitive information is exposed, or if the notification process of a breach is not strictly adhered to. The takeaway from GDPR regulation is to learn if your institution is impacted and plan ahead to meet the new guidelines.  AaSys Group helps financial institutions optimize their use of technology. AaSys provides health monitoring and patch management for all critical systems. Our Bank Operations Division negotiates lucrative core service agreement and guides banks through conversions and acquisitions. 1 Regulation (EU) 2016/679. Think GDPR. May 25, 2017. Web. May 21, 2018. 2 Regulation (EU) 2016/679. Think GDPR. May 25, 2017. Web. May 21, 2018.