Small and midsized banks in the US will be impacted by the EU’s new General Data Protection Regulation.

September 20, 2017 – American Banker

What happens when a cookie of a Brit in London lands in the server of a community bank in the U.S. if, on an off-chance, the Brit browses the bank’s website?

It’s unclear, experts say, but U.S. banks — especially small and midsize banks — need to go find out because the European Union’s General Data Protection Regulation (GDPR) could affect them, unlike the EU privacy regulations before it.

The countdown is ticking on GDPR’s website. The law, approved by the European Parliament in April 2016, will take effect in late May 2018. It will apply to “all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location,” the website said.

“Basically any institution around the world that has an EU citizen, a European subject, is subject [to the law],” said Steve Ehrlich, lead analyst for emerging technologies at Spitzberg Partners LLC, a corporate advisory firm. “An EU subject doesn’t have to be a customer or employee.”

The law can apply even if the company does not have a European business arm, said Pam Dingle, principal technical architect at Ping Identity, a firm that helps companies manage their personnel’s identification needs.

Some of GDPR’s provisions will require banks to behave differently than under existing U.S. regulations. One example is that banks need to report data breaches to authorities within 72 hours of their discovery. “That’s not a lot of time,” Dingle said.

Large banks are already familiar with the law, said Andy Roth, partner at the law firm Cooley LLP, who focuses on legal issues surrounding new technology. But smaller banks “are just recognizing that they have a potential exposure” and “are now starting to understand what they need to do to get in compliance.”

GDPR also requires companies to provide clients with full access to data about themselves.

“A European data subject can make requests on what data the bank has on it, and can make changes and request deletion of the data,” said Roth, who is a former chief privacy officer at American Express. “These require business practices that banks don’t have in the U.S.”

Companies with multiple legacy systems will face one of the toughest challenges, Dingle said.

“The first problem you will have when you deal with GDPR is that you have to somehow be able to reconcile how the data flows between all these different databases, even though they were made in different times, they may have different formats [and] the data might be called something different,” she said. “That’s why a lot of these beautiful ideas of GDPR are very difficult in reality for people to execute on.”

Employees’ attitudes toward personally identifiable information need to change, too, Dingle said. Simple things such as exporting company data to a spreadsheet so one can work at home can put customer data at risk, she said.