As the Europe Union prepares to implement its comprehensive General Data Protection Regulation (GDPR), the lack of action by U.S. financial institutions and regulators concerning data privacy is becoming harder to ignore.
The GDPR is an effort to return control of personal data to the individual. Basic personal information, such as name, home address, photo, email address, bank details, social networking posts, medical information, and even a computer’s IP address, cookie strings or mobile device IDs can be protected from the collection without permission.
Why should U.S. financial institutions be concerned?
The GDPR applies to any financial institution that serves even a single EU customer. Therefore, any U.S. financial institution (or business for that matter) must be in compliance with GDPR and have documentation of that compliance. It is also reasonable to believe there will be a domestic push to implement many of the same standards in the United States sooner rather than later.
The mining and exchange of data is a fact of doing business today. Protecting that data in a way that is consumer-friendly and responsible is a matter of good business. To be sure, preparing for GDPR compliance and data privacy regulations will be time-consuming and challenging, but worth the effort.
The following are a few suggestions for how U.S. financial institutions can begin to prepare.
Appoint a data protection officer. While the GDPR requires someone to hold this designation, it does not explain the responsibilities of that individual or role. However, it is reasonable to assume this position will be responsible for:
- Educating and training staff about compliance requirements.
- Conducting audits and monitoring data privacy compliance.
- Coordinating communications to members about how their data is being used, their rights to have it erased, as well as the protective measures the credit union has developed.
For credit unions not currently concerned about GDPR, such a person is still useful in putting data privacy protections in place.
Map the flow of data. Credit unions should track and analyze the data sources, data available and with whom they have shared the data. This exercise will help in formalizing, documenting and securing the process.
Review existing plans. It is likely security, disaster recovery and other identified plans will have to be adjusted to ensure data privacy is addressed within.
Keep up to date on policies and issues that impact data privacy. Because of the May 2018 GDPR deadline, there are an increasing number of best practices to review. Some of the areas to look for include:
- The scope of the data protection officer role.
- The types of data the credit union is keeping as requirements for other regulations and other areas of compliance.
- How the credit union is adapting to losing the automatic member opt-in.
- How fines are being applied to breaches. In the past, companies were allowed to self-report in an unspecified amount of time. Now, companies must report within 72 hours or risk being fined. Fines are also levied depending on the data involved in the breach.
These will likely help shape the conversation about how stateside regulations will look.
Be an advocate. Consumers and policymakers are more likely to be responsive to suggestions from the financial sector if you are proactively working to protect consumer data. Be vocal about the opportunities and challenges that currently impact your ability to act as an advocate for your members.
With more data available than ever before, credit unions have an opportunity to better serve their members with customized products and services, but it comes with a responsibility. You must be willing to look at your own data collection practices and ensure you are keeping consumer data as safe as possible. You also need to be part of the conversation. Otherwise, you risk being burdened with regulations and rules that will prohibit true growth and excellent member service.