EU Regulation May Impact U.S. Financial Institutions

On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) goes into effect. It prohibits an organization conducting business within the EU or serving customers who live in the EU - regardless of where the organization is headquartered - from collecting or using personal data without the individual’s consent.  Therefore, financial institutions with global operations, even if headquartered in the U.S., are subject to the GDPR. 

Under the GDPR, personal data means information specific to the “physical, physiological, genetic, mental, economic, cultural or social identity of a natural person” and includes a person’s name, photo, email and where they bank, as well as posts on social media, medical information, computer IP addresses and much more.  Since customers have the right to a copy of the data keep about them and the right to demand an organization delete the data, the new regulation poses significant IT, security and legal burdens on institutions to ensure they – and their third-party vendors - obtain customers’ consent to collect and hold their personal information. 

How personal data is owned, managed and used is a hot topic among consumers as a result of large scale data breaches like the Equifax breach that compromised data for 145.5 million consumers, and, more recently in the news, the invasive ways Facebook and its advertisers collected, stored, used and shared personal data.

One of the biggest challenges for institutions with legacy systems with various components cobbled together over time will be how to conduct a “deep dive” investigation to understand where and how consumer date is stored, how it flows between different databases in different formats, confirm consumers gave their consent to collect their personal information, determine what vendors may have accessed it over the years, and figure out how to stay compliant. And compliance is important – companies that don’t comply with GDPR may be assessed a fine that amounts to between two and four percent of their revenue.

Even if an institution doesn’t operate globally, the new regulation is prompting financial institutions to anticipate and start planning for a time when U.S. customers demand the same high level of personal information protection.

Click here to learn more about the GDPR regulations.

Meet The Rehmann Team

Start typing a name ...
Searching for "{{nameQuery}}"...
Start typing an experience ...
Searching for "{{experienceQuery}}"...
Start typing a location ...
Searching for "{{locationQuery}}"...
Or view a list of team members

get rehmann expertise to drive your business in your inbox every week