The better the question. The better the answer. The better the world works. У вас есть вопрос? У нас есть ответ. Решая сложные задачи бизнеса, мы улучшаем мир. У вас є запитання? У нас є відповідь. Вирішуючи складні завдання бізнесу, ми змінюємо світ на краще. Meilleure la question, meilleure la réponse. Pour un monde meilleur. 問題越好。答案越好。商業世界越美好。 问题越好。答案越好。商业世界越美好。

General Data Protection Regulation (GDPR): demanding new privacy rights and obligations

Perspectives for global financial services firms

Back to Top

On 25 May 2018, the European Union’s new General Data Protection Regulation (GDPR) came into effect, ushering in unprecedented levels of data protection for EU residents. Backed by fines of up to €20 million or 4% of global revenue, whichever is higher, the GDPR gives individuals new, expanded rights over their personal data and heightens the responsibilities and liabilities of controllers and processors, regardless of their geographic location.

Perspectives for global financial services firms. For GDPR content related to other industry sectors, please click here

For non-EU based financial institutions

EY - GDPR: demanding new privacy rights and obligations

GDPR: demanding new privacy rights and obligations

Download PDF
 

For EU-based financial institutions

EY - Developing your GDPR response for competitive advantage

Developing your GDPR response for competitive advantage

Download PDF
EY - Demonstrating data privacy for GDPR and beyond

Demonstrating data privacy for GDPR and beyond

Download PDF

Back to Top

Key facts about the GDPR

 

Applicability

applies to organizations established within the EU — and to organizations outside the EU if they are processing personal data of EU residents in connection with providing goods or services to EU residents or are monitoring the behavior of individuals in the EU

Fines

up to €20 million or 4% of the organization’s total global revenue, whichever is greater; also provides individuals new rights to bring class actions against data controllers or processors, if represented by not-for profit organizations, which heightens litigation risk
 

GDPR highlights

Organizations have only 72 hours to report data breaches.


Privacy-by-design principles need to be incorporated into the development of new processes and technologies.


Explicit and affirmative consent is required before processing personal data.


Most organizations now need to designate a Data Protection Officer.


Organizations have to maintain records of processing activities.


Organizations need to scale security measures based on privacy risks.


International transfers are subject to specific requirements and mechanisms.


Organizations now report to one supervisory authority.


Organizations have to facilitate customers’ and employees’ right to erasure (of data), right to portability, and an increased right of access.


 

Important terms:

The GDPR prescribes certain responsibilities and liabilities to controllers and processors of personal data. It is important to understand these terms as they are defined within the GDPR.

  • Controller: a body (alone or jointly with others) that determines the purposes and means of the processing of personal data
  • Processor: a body that processes personal data on behalf of the controller; processing activity can include collecting, organizing, storing, disclosing, using, etc.
  • Personal data: any information (single or multiple data points) relating to an identified or identifiable natural person such as name, employee identification number or location data

Is GDPR applicable to you?

Back to Top

Although GDPR brings a welcome harmonization of fragmented data protection laws across EU Member States, its wide-reaching impact and stringent rules require a fundamental organizational shift, even for businesses compliant with existing legislation.

Many non-EU financial services firms assume that the GDPR doesn’t apply to them with limited understanding of how the regulation actually works. The three distinct questions below can be used to assess GDPR applicability*:

Are you or your service providers a processor or controller located in the EU (e.g., do I have an affiliate organization in the EU)?*

Are you or your service providers a processor or controller that offers goods or services in the EU (e.g., do I offer payment services in England)?*

Are you or your service providers a processor or controller that monitors behavior in the EU (e.g., am I a third party that monitors credit card balances in France)?*

 

If you answer no to these questions above, GDPR may apply later on and some questions to consider include (but are not limited to):

  • Do I have any plans or aspirations to do business in the EU in the future?
  • Do I process data of EU citizens who reside in the US?

*Note – the responses to these questions should be evaluated based on the facts and circumstances in your organization and discussed with legal counsel.

This question, “Are you or your service providers a processor or controller that monitors behavior in the EU?,” captures a broader range of activities than many firms think. Consider centralized functions that conduct surveillance, such as for fraud, anti-money laundering, sanctions or cyber threats. To the extent those functions use data related to EU residents, your firm may be subject to the GDPR requirements.

Impact of GDPR across your organization

Back to Top

GDPR impacts

Penalties for failing to comply with the basic processing principles of GDPR may subject the organization to fines up to €20 million or 4% of the organization’s total global revenue, whichever is greater.

Imposes new obligations for both controllers and processors of personal data.

Places a greater emphasis on accountability requiring greater documentation and records.

Penalties for failing to comply with the basic processing principles of GDPR may subject the organization to fines up to €20 million or 4% of the organization’s total global revenue, whichever is greater.

Imposes new obligations for both controllers and processors of personal data.

Organizations have only until 25 May 2018 to implement changes and comply with GDPR obligations.

Places a greater emphasis on accountability requiring greater documentation and records.

GDPR is not a one-off compliance demonstration and requires a fundamental organizational transformation with regard to data and privacy.

 

Requirements:

  • Data protection impact assessment – This assessment, required for high risk personal data processing activities, can help organizations identify risks and define mitigating actions.
  • Data privacy accountabilities – The GDPR states that the controller is responsible for confirming that a firm adheres to the law’s privacy principles.
  • Condition for processing – The processing of personal data must rely on a lawful basis as outlined in the GDPR.
  • Data protection officer – Firms that conduct large-scale systematic monitoring of EU residents’ data or process large amounts of sensitive personal data must appoint a qualified DPO.
  • Privacy by design (PbD) – Organizations are required to establish privacy controls from the outset of product or process development.
  • Right to erasure – An individual can request the deletion or removal of personal data when there is no lawful reason for its continued processing.
  • Consent – Consent must be freely given and explicit, indicating the individual’s specific agreement to the processing of personal data.
  • Data breach notification – Organizations must notify the supervisory authority of a data breach within 72 hours of becoming aware of it.
  • Data portability – This allows individuals to move, copy or transfer personal data easily from one organization to another in a secure way for their own purposes.
 

Which parts of your organization will be most affected?

First line of defense

This encompasses business lines, day-to-day operations, technology groups, customer relationship management, marketing and human resources and involves issues such as client segmentation, protection of employee data and how data is gathered, processed, stored and transferred.

The impact of GDPR is enormous and spans across a multitude of organizational areas:

EY - The Impact of the GDPR

Second line of defense

This encompasses third-party risk management, monitoring, compliance and risk management and involves issues such as web traffic, alignment with legal requirements and privacy risk reporting.

Third line of defense

Internal audit is responsible for reviews of access processes and procedures, compliance monitoring and validation of the privacy framework.

 

EY’s Cybersecurity: three lines of defense

Source: EY’s Cybersecurity: three lines of defense webcast, 12 January 2017, replay available here

How we can help

Back to Top

Implementing the GDPR should be viewed as an integrated exercise set within each firm’s overall privacy risk management framework. GDPR touches on all aspects of an organization, reaching across people, processes and technology and, as such, establishes a cross-functional team that supports the transformation of the company, which is a critical step for a successful implementation.

 

EY’s privacy risk management framework

EY’s privacy risk management framework

Next steps

Back to Top

Educate key stakeholders, including the board of directors

Risk-assess to whether the GDPR applies to your organization

Establish cross-function and cross-business governance structure

Design and execute a prioritized implementation plan

FAQs

Back to Top

Featured insights

Back to Top

Why every APAC institution should be thinking about GDPR

EY - Why every APAC institution should be thinking about GDPR

If your APAC institution offers financial services to, or monitors the behavior of, individuals in the EU — either directly or through indirect relationships — then the GDPR applies to you.

Global companies remain challenged by GDPR implementation, EY survey finds

EY - Global companies still unprepared for GDPR compliance, EY survey finds

The third biennial EY Global Forensic Data Analytics Survey examines the responses of 745 executives from 19 countries and analyzes the legal, compliance and fraud risks global companies face.

Europe's new data rules go much deeper than PCI

EY - Europe's new data rules go much deeper than PCI

U.S. payments processors, banks and retailers have dealt with the various Payment Card Industry security standards. But the new data rules go much deeper and many U.S. companies must comply.

An integrated vision to manage cyber risk

EY - An integrated vision to manage cyber risk

Cybersecurity is everyone’s responsibility in today’s financial services organization. This report looks at the current cyber risk landscape and how best to protect your business.

Governing cyber risks in financial services

EY - Governing cyber risks in financial services

Retaining talent, addressing compliance risks and integrating cybersecurity with innovation are all key areas board of directors at financial services companies should be aware of in their governance approach.

The evolving role of the board in cybersecurity risk oversight

EY - The evolving role of the board in cybersecurity risk oversight

Cybersecurity continues to be high on board agendas, and recent regulatory and reporting developments at the federal, state and global levels have cybersecurity risk oversight even more challenging.

GDPR: making data privacy work in financial services

ey-gdpr-making-data-privacy-work-in-financial-services

In April 2016, the European Parliament ratified the General Data Protection Regulation (GDPR). Organizations have until 25 May 2018 to establish a strong framework for safeguarding individual privacy.

 

EY - Webinar

This webinar, produced in conjunction with BrightTALK, focusses on immediate actions to take and building a long term privacy strategy post May 2018. Panelists are asked to contribute their views on the EU and non-EU impacts of GDPR for the financial services sector.

Contact us

Back to Top

Back to Top

Americas

Cindy Doe
+1 617 375 4558
cynthia.doe@ey.com

John Doherty
+1 212 773 2734
john.doherty@ey.com

Ed Keck
+1 216 583 1296
ed.keck@ey.com

Angela Saverice-Rohan
+1 213 977 3153
angela.savericerohan@ey.com

Mark Watson
+1 617 305 2217
mark.watson@ey.com

EMEIA

Tony de Bos
+31 88 40 72079
tony.de.bos@nl.ey.com

Steve Holt
+44 20 7951 7874
sholt2@uk.ey.com

Konrad Meier
+41 58 286 4327
konrad.meier@ch.ey.com

Erol Mustafa
+44 20 7951 0700
emustafa@uk.ey.com

Philippe Zimmermann
+41 58 286 3219
philippe.zimmermann@ch.ey.com

Asia-Pacific

Jeremy Pizzala
+852 9666 3428
jeremy.pizzala@hk.ey.com