Even though GDPR (General Data Protection Regulation) compliance is a European Union (EU) law, it still has implications for US-based financial firms. GDPR still has reach when it comes to US organizations. It’s been seen as the largest impact on data privacy laws in the US since the passing of HIPAA laws.
What is GDPR?
GDPR, at its core, is all about the protection of personal data. With data breaches continuing to be a danger to all companies in 2019, there is extreme pressure for organizations to enact cybersecurity strategies to combat them.
Under GDPR, organizations must ensure that personal data is collected legally and under specific conditions. Those who collect it are also obliged to protect it from exploitation or misuse, respecting the rights of data owners. The inability to meet this can result in penalties.
How does GDPR impact US-based financial firms?
GDPR applies to any company operating in the EU as well as those outside of it that offer services or goods to EU citizens. Thus, for many US-based financial firms, GDPR becomes relevant. If your customer base or operations extend to those in the EU, you will be responsible for compliance. To ensure compliance, you may need to undertake a risk assessment to understand where the gaps may be.
Steps for compliance
Identify and categorize the data your company collects and processes
You start the process of compliance by analyzing what your current methods are. You’ll need to engage in a comprehensive assessment of what data you collect and why. Start with these questions:
- Do you ask for personal data from EU citizens?
- How do you obtain such information?
- What do you do with the data?
- Who has access to the data?
- Where is the data stored?
- Does your company have a backup and disaster recovery plan related to the data?
Once you’ve assessed where you stand and if you collect data from EU citizens, you’ll know if you need to enact compliance measures.
Ensure you have a legal basis for processing data
GDPR seeks to limit the collection, storage, and use of personal data by companies. To be compliant, you must have a legal basis for doing so. The legal basis may include:
- You’ve been given explicit consent to use data for a specific purpose—for banks, you would need access to data to service accounts or enable transactions
- Data processing is pursuant to a contract
- Necessary for public interest or to protect EU legal obligations
Create company policies and procedures related to GDPR
Policy creation is critical for GDPR compliance. Your policy must include a way for EU citizens to exercise their individual privacy rights. You’ll have to provide disclosures to these subjects to address right of access, right to rectify, right to erasure, right to restrict processing, right to object to processing, right to data portability, and right to not be subject to automated decision making.
Adopt GDPR-compliant privacy notices
You’ll need to craft GDPR-compliant privacy notices and make those accessible at all data collection points. It will need to address a variety of information points, including purposes of processing, identification of the company, and data retention periods.
Ensure data protection and security
With this step, you’ll need to ensure that your cybersecurity measures offer a “reasonable” layer of protection for data. You should consider elements like encryption, confidentiality, ability to restore and access data, the potential risks, and how to ensure that any third-party processors follow the same guidelines.
These are the essential beginning steps for any financial firm to consider when focusing on GDPR compliance. It’s a very complex process, and one that can be streamlined with the help of IT security experts, like those at Imagis. If you are struggling with GDPR compliance, contact us today for a consultation.