Long before the Snowden/NSA leaks, the EU has been planning to unify data protection with a single law – the General Data Protection Regulation (GDPR), making significant updates to the existing Data Protection Directive. Currently being discussed within the EU Parliament’s Committee on Liberties, Justice and Home Affairs, the regulation is expected to be adopted in 2014 and enforced from 2016. It will apply to all EU citizens, irrespective of their domicile and affects “any information relating to an individual, whether it relates to his or her private, professional or public life.”
The proposed regulation has implications for banks and financial services companies, including:
- Privacy by Design and by Default (Article 23) requires that data protection is built into systems and processes and that privacy is accorded a high priority;
- Data Protection Officers (Articles 35-37) are to ensure compliance within organizations. They have to be appointed for all public authorities and for enterprises with more than 250 employees;
- The Company’s data controller has to inform the Data Protection Authority (DPA) within 24 hours of any breach (Article 31). Individuals must be notified of any adverse impact consequent upon a breach (Article 32);
- Right to be Forgotten. Upon withdrawal of consent (or upon it no longer becoming necessary), an individual’s data must be deleted unless there is a legitimate reason for its retention ((Article 17); and
- A range of fines can be levied for non-compliance – up to EUR 250,000 or 0.5% of annual global sales for not responding to requests by the data subject or DPA, and up to EUR 1 million or 2% of annual global sales for not complying with specific GDPR regulations.
Second-order effects are likely to include conflicts with existing and proposed AML rules, the implied reduction of legitimate interest potentially making it more difficult to elicit/retain information on individuals. In addition, third countries will not be allowed access to data without a bilateral treaty in place.
While still some way off, the GDPR is another nail in the coffin of siloed data systems. Along with Dodd-Frank, EMIR, Basel III, FATCA et al, it represents another imperative for clean, cohesive and controlled data management.