Thousands of American companies including credit unions that do business with European customers need to reckon with EU’s General Data Protection Regulation, which goes into full effect a year from now.
The GDPR changes the handling of personal and corporate data particularly in terms of personally identifiable information. The regulation, slated for a May 25, 2018 rollout, already weighs heavily on the European business community, but come as a surprise to many U.S. based enterprises.
Nevertheless, the financial services industry is beginning to evaluate how to tackle the incoming data protection regulation because many expect financial-institutions to wear the biggest bull’s-eyes when GDPR finally comes into play. Financial institutions have a little over a year to come up with a comprehensive approach and plan for managing and securing European consumer data.
“If you are a credit union in the U.S. you are likely going to have to comply with this law if you have any members who moved to Europe or live in Europe.” Michael S. Edwards, VP and general counsel of the World Council of Credit Unions, said.
Edwards, who worked on the issue for WOCCU, explained there is currently a data-privacy shield framework that the U.S. Commerce Department allows for transferring data from Europe to U.S. based companies. “That’s not going to help at all with this GDPR regulation; you are going to have to comply with both.”
“The European commission says you have to have a representative, in each country where a member lives,” Edwards said. In addition, to having a registered agent, Edward noted credit unions must have a data-protection officer and an EU-focused privacy policy for members living in Europe. The fines for not complying with GDPR are up to 20 million Euros (almost $22 million) per violation or up to 4% of the organization’s annual revenue, whichever is the higher amount.
Gary Southwell, general manager of Boston-based CSPi, suggested, “Credit unions should ask themselves, ‘Do we have this type of information? The next question they should ask is ‘does it matter?’ Southwell also pointed out that GDPR not only goes into effect across all 28 EU nations but the United Kingdom plans to adopt GDPR despite Brexit, at least for now.
Joe Garber, vice president of marketing, information management and governance software at Palo Alto, Calif.-based Hewlett Packard Enterprise, views GDPR as helping organizations identify and secure sensitive information. “What they need to do is get started; identify what their greatest risks are first.” With 270 pages to tackle many organizations do not know where to get started.
Read more about the GDPR effect on credit unions in the May 10, 2017 print issue of CU Times.
