In less than two weeks the new General Data Protection Regulations (GDPR) will be in full force. Most companies subject to the GDPR have prioritized efforts to implement necessary internal safeguard measures, procedures and required contractual provisions.
However, to ensure effective compliance, privacy requirements must be assessed under the appropriate lens of a data controller or data processor. The privacy requirements must also be integrated into components of a compliance program that are indirectly impacted under the GDPR.
AML due diligence programs typically include mandatory procedures for conducting required customer due diligence prior to onboarding. For example, under FinCEN’s customer due diligence requirements, financial institutions are required to identify and verify ultimate beneficial ownership (UBO) information of customer entities. In order to satisfy this requirement, certain personal data will need to be collected and vetted, triggering the need to assess requirements under applicable data privacy regulations.
“Personal data” is broadly defined under the GDPR and obligations to protect such data extend outside the EU. Further, the GDPR defines processing as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means…” and includes activities such as the “collection, recording, structuring, transmission, etc.” of the personal data.
Therefore, a financial institution identifying and verifying UBO information of EU data subjects will need specifically identify and address its obligations as a data processor.
Under the GDPR, data processors must have a legal basis for processing the personal data, as well as explicit consent to process the data from the data subject. Also, a data processor must adhere to the other key principles listed in the GDPR.
The key principles include:
lawfulness
fairness and transparency
purpose limitation
data minimization
accuracy
storage limitation, and
integrity and confidentiality.
To adhere to these principles, a data processor (e.g. a U.S. based financial institution) conducting customer due diligence on an EU data subject will need to take necessary steps to ensure the customer is provided with a description of the purposes for processing of the personal data and prior notice.
The data processor must receive unambiguous, express consent from the customer to move forward with processing of the personal data.
A data processor conducting customer due diligence on an EU data subject must also assess requirements relating to the cross-border transfer of any personal data outside of the EU to jurisdictions that are deemed to have inadequate data protection laws.
A data processor can choose to comply with cross-border transfer requirements using one of several methods. One method is adherence through certification under the EU-U.S. Privacy Shield (which replaces the EU-U.S. Safe Harbor framework). Another method to comply with transfer requirements is by adopting EU pre-approved standard contractual clauses.
In addition, the financial institution data processor must ensure compliance with the GDPR storage protection provisions. These provisions address the storage limitation principle and require that a data processor limit the amount of data being collected to include only what is absolutely necessary.
What all this means is that financial institutions face new challenges to reconcile their compliance obligations. On one hand, their obligations are increasing to conduct customer due diligence to verify UBO information, among other things. On the other hand, the data processors at the same institutions are obligated to limit circumstances in which personal data can be collected, and when it is collected, to ensure it’s adequately protected according to EU standards.
For compliance professionals, the complications just keep coming.
____
Lindsay Columbo, Esq. is a founder of eSpear LLC, a developer of due diligence and screening solutions, where she serves as the Global VP of Compliance & Support Services. She previously served as Associate Corporate Counsel, Global Ethics & Compliance for Brightstar Corp. a SoftBank company headquartered in Miami, Florida. She can be contacted here.
2 Comments
Happy to stand corrected but I don't believe the last part of this sentence is correct, "Under the GDPR, data processors must have a legal basis for processing the personal data, as well as explicit consent to process the data from the data subject."
I agree that there needs to be a legal basis for processing an EU data subject's personal data. These are defined as: (a) consent, (b) necessary for the performance of a contract, (c) compliance with a legal obligation, (d) protect vital interests of data subject, (e) performance of task carried out in public interest and (f) legitimate interests. If an organization is unable to rely on any one of (b) through (f) enumerated above as the lawful basis for collecting and processing an EU data subject's personal data, then the organization will have to rely on consent. They don't need to also have consent. With respect to the term, "explicit consent", there are some circumstances where an organization would have to obtain this type of consent (when processing special categories of data (unless another provision applies), international data transfers (unless another provision applies), when decisions are based on automated processing and profiling (unless another provision applies) but not likely for the purposes of carrying out due diligence on UBOs.
Financial institutions will probably rely on compliance with a legal obligation as the lawful basis for collecting and processing personal data of a EU subjects for purposes of carrying out due diligence on UBOs, in which case consent would not need to be obtained (but notice to the data subject would need to be made). It is arguable that due diligence is a form of profiling especially in light of recital 71 of the regulation which specifically notes that "…decision-making based on such processing, including profiling, should be allowed where expressly authorised by Union or Member State law to which the controller is subject, including for fraud and tax-evasion monitoring and prevention purposes conducted in accordance with the regulations, standards and recommendations of Union institutions or national oversight bodies and to ensure the security and reliability of a service provided by the controller…."
Yes, absolutely agree with Meca. Consent is not the solely lawful basis for processing personal data. What is important is that persons do have the right to be informed when their data is collected or processed.
The UK Information Commissioner's Office has an excellent guide on the GDPR and a very nice checklist regarding when notifications should be made and what information should be included. https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed/
Comments are closed for this article!