5 minute read 1 Nov 2018
Woman Rear Car Driving Through New York City

How GDPR impacts financial services organizations

By Cindy Doe

EY Americas Consulting Risk Leader

Seasoned financial services professional. Resides in Massachusetts with her husband and three children.

5 minute read 1 Nov 2018

Show resources

  • GDPR demanding new privacy rights and obligations (pdf)

  • Demonstrating data privacy for gdpr and beyond (pdf)

  • IAPP EY annual privacy governance report 2018 (pdf)

  • When it comes to gdpr compliance (pdf)

    Download 687 KB

On 25 May 2018, the EU’s new General Data Protection Regulation (GDPR) came into effect, ushering in unprecedented levels of data protection.

Backed by fines of up to €20 million or 4% of global revenue, whichever is higher, the GDPR gives individuals new, expanded rights over their personal data and heightens the responsibilities and liabilities of controllers and processors, regardless of their geographic location.

GDPR highlights

  • Organizations have only 72 hours to report data breaches.
  • Privacy-by-design principles need to be incorporated into the development of new processes and technologies.
  • Explicit and affirmative consent is required before processing personal data.
  • Most organizations now need to designate a Data Protection Officer.
  • Organizations have to maintain records of processing activities.
  • Organizations need to scale security measures based on privacy risks.
  • International transfers are subject to specific requirements and mechanisms.
  • Organizations now report to one supervisory authority
  • Organizations have to facilitate customers’ and employees’ right to erasure (of data), right to portability, and an increased right of access.

Important terms

The GDPR prescribes certain responsibilities and liabilities to controllers and processors of personal data. It is important to understand these terms as they are defined within the GDPR.

  • Controller: a body (alone or jointly with others) that determines the purposes and means of the processing of personal data
  • Processor: a body that processes personal data on behalf of the controller; processing activity can include collecting, organizing, storing, disclosing, using, etc.
  • Personal data: any information (single or multiple data points) relating to an identified or identifiable natural person such as name, employee identification number or location data

Impacts of GDPR across your organization

GDPR impacts
  1. Penalties for failing to comply with the basic processing principles of GDPR may subject the organization to fines up to €20 million or 4% of the organization’s total global revenue, whichever is greater.
  2. Imposes new obligations for both controllers and processors of personal data.
  3. Places a greater emphasis on accountability requiring greater documentation and records.
  4. GDPR is not a one-off compliance demonstration and requires a fundamental organizational transformation with regard to data and privacy.
  • Data protection impact assessment – This assessment, required for high risk personal data processing activities, can help organizations identify risks and define mitigating actions.
  • Data privacy accountabilities – The GDPR states that the controller is responsible for confirming that a firm adheres to the law’s privacy principles.
  • Condition for processing – The processing of personal data must rely on a lawful basis as outlined in the GDPR.
  • Data protection officer – Firms that conduct large-scale systematic monitoring of EU residents’ data or process large amounts of sensitive personal data must appoint a qualified DPO.
  • Privacy by design (PbD) – Organizations are required to establish privacy controls from the outset of product or process development.
  • Right to erasure – An individual can request the deletion or removal of personal data when there is no lawful reason for its continued processing.
  • Consent – Consent must be freely given and explicit, indicating the individual’s specific agreement to the processing of personal data.
  • Data breach notification – Organizations must notify the supervisory authority of a data breach within 72 hours of becoming aware of it.
  • Data portability – This allows individuals to move, copy or transfer personal data easily from one organization to another in a secure way for their own purposes.

Implement a privacy risk management framework

Implementing the GDPR should be viewed as an integrated exercise set within each firm’s overall privacy risk management framework. GDPR touches on all aspects of an organization, reaching across people, processes and technology and, as such, establishes a cross-functional team that supports the transformation of the company, which is a critical step for a successful implementation. 

Key facts about the GDPR

  • Applicability
    Applies to organizations established within the EU — and to organizations outside the EU if they are processing personal data of EU residents in connection with providing goods or services to EU residents or are monitoring the behavior of individuals in the EU.

  • Fines
    Up to €20 million or 4% of the organization’s total global revenue, whichever is greater; also provides individuals new rights to bring class actions against data controllers or processors, if represented by not-for profit organizations, which heightens litigation risk.


    For firms impacted by the GDPR, it is important that the right governance and program structure is put in place from the outset. A cross-functional, cross-business team is required. To be successful and sustainable, this effort cannot be buried in legal and compliance.

    About this article

    By Cindy Doe

    EY Americas Consulting Risk Leader

    Seasoned financial services professional. Resides in Massachusetts with her husband and three children.