In less than two weeks the new General Data Protection Regulations (GDPR) will be in full force. Most companies subject to the GDPR have prioritized efforts to implement necessary internal safeguard measures, procedures and required contractual provisions.
However, to ensure effective compliance, privacy requirements must be assessed under the appropriate lens of a data controller or data processor. The privacy requirements must also be integrated into components of a compliance program that are indirectly impacted under the GDPR.
AML due diligence programs typically include mandatory procedures for conducting required customer due diligence prior to onboarding. For example, under FinCEN’s customer due diligence requirements, financial institutions are required to identify and verify ultimate beneficial ownership (UBO) information of customer entities. In order to satisfy this requirement, certain personal data will need to be collected and vetted, triggering the need to assess requirements under applicable data privacy regulations.
“Personal data” is broadly defined under the GDPR and obligations to protect such data extend outside the EU. Further, the GDPR defines processing as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means…” and includes activities such as the “collection, recording, structuring, transmission, etc.” of the personal data.
Therefore, a financial institution identifying and verifying UBO information of EU data subjects will need specifically identify and address its obligations as a data processor.
Under the GDPR, data processors must have a legal basis for processing the personal data, as well as explicit consent to process the data from the data subject. Also, a data processor must adhere to the other key principles listed in the GDPR.
The key principles include:
fairness and transparency
storage limitation, and
integrity and confidentiality.
To adhere to these principles, a data processor (e.g. a U.S. based financial institution) conducting customer due diligence on an EU data subject will need to take necessary steps to ensure the customer is provided with a description of the purposes for processing of the personal data and prior notice.
The data processor must receive unambiguous, express consent from the customer to move forward with processing of the personal data.
A data processor conducting customer due diligence on an EU data subject must also assess requirements relating to the cross-border transfer of any personal data outside of the EU to jurisdictions that are deemed to have inadequate data protection laws.
A data processor can choose to comply with cross-border transfer requirements using one of several methods. One method is adherence through certification under the EU-U.S. Privacy Shield (which replaces the EU-U.S. Safe Harbor framework). Another method to comply with transfer requirements is by adopting EU pre-approved standard contractual clauses.
In addition, the financial institution data processor must ensure compliance with the GDPR storage protection provisions. These provisions address the storage limitation principle and require that a data processor limit the amount of data being collected to include only what is absolutely necessary.
What all this means is that financial institutions face new challenges to reconcile their compliance obligations. On one hand, their obligations are increasing to conduct customer due diligence to verify UBO information, among other things. On the other hand, the data processors at the same institutions are obligated to limit circumstances in which personal data can be collected, and when it is collected, to ensure it’s adequately protected according to EU standards.
For compliance professionals, the complications just keep coming.
Lindsay Columbo, Esq. is a founder of eSpear LLC, a developer of due diligence and screening solutions, where she serves as the Global VP of Compliance & Support Services. She previously served as Associate Corporate Counsel, Global Ethics & Compliance for Brightstar Corp. a SoftBank company headquartered in Miami, Florida. She can be contacted here.