GDPR is not a new thing. In fact, you might think we are a little behind the times writing an article about it now, given that most of the discussion about the new regulation must have been hashed out in the 2 years since it was implemented. But here we are, and there is a good reason for it. Even 2 years on, there is still a lot of confusion around GDPR in finance circles, particularly when it comes to banks. We’ve seen a lot of opinions that state foreign banks outside the EU couldn’t possibly be subject to an EU directive, particularly in areas of Asia. But the truth is, GDPR is not about where you as a business or financial institution are – but who your customers are as citizens.
The Basics of GDPR
Just in case there is some confusion, let’s start with a basic rundown on the relevant points of GDPR. GDPR (or the General Data Protection Regulation) is an EU directive designed to protect the data and privacy of EU citizens. There are 11 chapters within GDPR, each detailing an area of data protection, identifying why data might be processed, and issuing rules around how it should be gathered, stored and processed. But at its core are 7 key principles:
- Lawfulness, Fairness & Transparency – You need to have a lawful reason to collect, store and process the data of EU citizens. The way you utilise that data needs to match the reason you collected it, and you must provide proof that you had permission to collect, store and process that data for that purpose.
- Purpose Limitation – You must inform your clients about the purpose of data collection, and this purpose must be ‘specified, explicit and legitimate’. Data must only be collected and used for those purposes – the ones you have informed the data subject about and obtained consent for.
- Data Minimization – Personal data collections should be ‘adequate, relevant, and limited to what is necessary in relation to the purpose for which it is processed’. This principle was designed to cut down the collection of personal data to an absolute minimum, so you cannot collect data without a valid reason for it.
- Accuracy – Ensures the storing of accurate, up to date data. You must make sure that you don’t retain any old or outdated contacts, and erase inaccurate personal data without delay.
- Storage Limitations – Going along with the data minimization section, all personal data collected must be kept in ‘a form which permits identification of data subjects for no longer than necessary.’ This means setting a retention period for all personal data, justifying why you need to keep the data that long and documenting it. It also means ensuring secure and complete destruction of the data when the retention period is up, with proof.
- Integrity and Confidentiality – All personal data must be handled in a secure and confidential manner that protects against unlawful processing, accidental loss, destruction or damage. This means you must implement efficient anonymisation or pseudonymisation systems to protect the identity of your clients.
- Accountability – Finally, you need to be able to provide thorough records and documentation to prove you have done all of the above.
If you want more detail about any of those sections, you can find the full regulations here.
If you are subject to GDPR (which, as we explain below, almost all banks are), then you need not only to meet these principles, but be able to prove it upon inspection by the Information Commissioner’s Office (ICO). Otherwise, you could be subject to a fine of up to €20 million, or up to 4% of your annual worldwide turnover for the preceding year – whichever is higher. So not being compliant could be a very costly mistake.
Why Even Non-EU Banks are Subject
The key element that many businesses, and in particular financial institutions, outside the EU are missing is that GDPR applies to your business if you have even a single touchpoint with an EU citizen. So if you’re a financial institution based in Taiwan, but have a customer who is an EU citizen, then your whole institution needs to be GDPR compliant. If you have a branch based in an EU country, for example Luxembourg, then the entire institution needs to be GDPR compliant. It doesn’t matter where in the world your business is – if you have a single touchpoint with an EU citizen, GDPR applies. It essentially follows the same framework as FATCA – in that it’s an extraterritorial regulation that applies globally. The only way you wouldn’t fall under it is to have absolutely no connection with any person who is an EU citizen, at all. For banks, this is nigh on impossible. So not only are financial institutions all over the world subject to their own specific data protection regulations, but they are subject to GDPR as well. It really is that simple.
On the operational side of things, GDPR poses a problem to non-EU countries. Because EU data protection regulations are mature and extensive, they are often at a higher standard than many non-EU countries, which means that financial institutions in those countries will have to analyse their business and either remove the issue or adapt their policies and procedures to meet the higher standards. This isn’t a new issue – we’ve seen it before in FATCA. One of the main international responses to FATCA was to reject US persons from having accounts. The difficulty with that is that it did not actually remove the problem, because FATCA is a ‘negative proof system’ requiring due diligence to be performed even if its result is no US Persons. For GDPR, it’s much more difficult to take the approach of divesting EU customers because there are 27 member States in the EU – making it unlikely to be a workable strategy. The only realistic strategy is to upgrade your own data protection standards to meet the GDPR.
At TConsult, it’s our job to help financial institutions all over the world understand what regulations they need to follow, and what they should be doing to achieve compliance. We’ve been working with quite a few clients who, while working on other compliance projects, have discovered they are subject to GDPR and have not got the relevant processes in place. So while we might not consult directly on GDPR, we will always ask the question and help you find out if GDPR applies to you. If you would like more information, or to talk about QI, FATCA and CRS/AEoI, just get in touch to book a chat with one of our consultants.