Have You Assessed Your GDPR Risk? It Might Surprise You

Many U.S. credit unions have paid little attention to the European Union General Data Protection Regulation. But these organizations might be surprised to learn that the sweeping regulation can apply even to businesses with no direct operations within the EU.

The GDPR revises the standards for privacy rights, information security and compliance in the EU. It applies to all companies, inside or outside the EU, that access or process data of individuals residing in the EU. The regulation goes beyond the standards set by U.S. regulators. Credit unions must evaluate the GDPR as they would any regulation, taking the time to understand it, identify risks that could require compliance and quantify those risks.

The GDPR in a Nutshell

The GDPR gives individuals greater control over their personally identifiable information and seeks to protect the identity and privacy of individuals. It establishes strict requirements for how companies must manage the PII of individuals residing in the EU.

PII is defined broadly and can be sensitive or nonsensitive. Sensitive PII includes name, Social Security number, mailing address, email, or credit card or passport information. Nonsensitive PII includes identifiers that alone do not identify an individual – such as race, gender, birthdate, place of residence, or internet cookies or protocol addresses – but when linked with sensitive identifiers, could reveal the identity of an individual. The GDPR also includes provisions related to the following:

• Data security;
• Data governance, including the appointment of a data protection officer and consent to data collection and processing;
• Mandatory breach notification within 72 hours of discovery;
• Access to personal data;
• Data erasure, or the right to be forgotten;
• Data portability;
• Cross-border data transfers;
• Profiling and automated decision-making; and
• Responsibilities of controllers (persons or entities that determine the purposes and means of the processing of personal data) and processors (persons or entities that process personal data on behalf of a controller), including “privacy by design.”

Some of these provisions are particularly notable. For example, in the case of a personal data breach, the GDPR generally requires the controller to notify the supervisory authority no later than 72 hours after becoming aware of it. U.S. state breach notification laws vary but require notification within anywhere from two to 90 days; the Health Information Portability and Accountability Act allows 60 days.

On the other hand, the position of the data protection officer – required in organizations that engage in large-scale systematic monitoring or processing of sensitive personal data – is similar to the information security officer required by the Gramm-Leach-Bliley Act. It also is similar to HIPAA’s privacy officer in terms of responsibilities.

The GDPR is not limited to organizations located in the EU. It also applies to companies located outside the EU that process personal data of individuals residing in the EU, regardless of where the processing occurs. More specifically, the GDPR applies to processing activities related to the offering of goods or services to individuals residing in the EU or the monitoring of their behavior through internet tracking. It explicitly states, though, that merely having a website that individuals residing in the EU can access is not sufficient to indicate an intention to offer goods and services to those individuals.

Applicability to Credit Unions

Many credit unions assume they are not subject to the GDPR if they do not have members who reside in the EU and are identified by an EU mailing address. Their confidence could be misplaced. These responsibilities could arise on two fronts.

First, the GDPR applies to natural person and corporate credit unions that have members or members with employees who reside in the EU. For example, a credit union might market to all of the employees of a multinational corporation headquartered in the U.S., though some of those employees could be located in the EU. Or, a member who obtains a credit card, deposit account or loan in the U.S., or via the website of a credit union located in the U.S., and subsequently locates to the EU could trigger GDPR compliance if the accounts and member information continue to be serviced and maintained by the credit union in the U.S. At this point, of course, questions remain about extraterritorial enforcement. The NCUA has not formally opined on GDPR enforceability within the U.S.

The greater risk, though, might stem from third-party vendors that qualify as processors under the GDPR. For credit unions, these could include:

• Software developers and providers;
• Hardware providers;
• Payment processors;
• Statement and mail services;
• Consultants;
• Auto dealers;
• Joint marketers;
• Referral partners;
• Joint venture partners; and
• Affiliates.

A vendor that is subject to the GDPR may require its clients to follow certain processes and procedures that a credit union not required to comply with the GDPR might not otherwise be required to perform.

The Appropriate Response

Some credit unions that believe they are not subject to the GDPR are responding by obtaining a legal opinion from an attorney familiar with the credit union’s membership, operations and agreements, as well as international law and the GDPR specifically. Other credit unions that suspect they are covered by the regulation are taking a measured approach to compliance. For example, they might only reduce their breach notification time policy or apply the standards to members known to be located in the EU, rather than implementing all of the GDPR standards across the board.

The appropriate response will vary depending on each credit union’s circumstances, but one thing is clear: No credit union should sit back and ignore the GDPR based on nothing more than a cursory review. Rather, every credit union should evaluate the regulation as it would any other evolving risk. In other words, a risk assessment that takes into account the credit union’s risk appetite for privacy in general and the GDPR in particular is in order.

Credit unions should begin by determining, among other things, whether they:

• Collect or process the personal data of persons located in the EU;
• Know all of the places they capture, store and transfer personal data, whether internally or externally;
• Implement compliant consent procedures;
• Update privacy policies as necessary;
• Equip personnel to respond as required to requests for access to personal data or to be forgotten;
• Comply with the notification standards in the case of a data breach; and
• Review new contracts for requirements requested by vendors that are required to comply with the GDPR.

Once credit unions have determined that its GDPR risk demands attention, they should assign responsibility for this regulation.

Act, Don’t React

Credit unions that have put the GDPR on a backburner or disregarded it as irrelevant altogether should take action to treat it as any other evolving risk. The first step is to appoint a steering committee with representatives from a variety of areas – including risk management, compliance, information technology, legal and internal audit. The steering committee should understand and analyze GDPR requirements and determine applicability. If the GDPR is applicable, the credit union should quantify those risks, identify organizational risks of noncompliance and define processes, systems and controls to be implemented in order to determine a plan of action. Credit unions that wait until regulators weigh in or vendors attempt to enforce contractual provisions in court might regret their passive approach.

Eileen M. Iles, CAP, CIA, CFSA is a Partner for Crowe LLP. She can be reached at 630-575-4376 or eileen.iles@crowe.com.

Niall K. Twomey, CRCM is Principal for Crowe LLP. He can be reached at 630-574-1806 or niall.twomey@crowe.com.