GDPR and The Third-Party Risk Management Implications

Effective May 25, 2018, the General Data Privacy Regulation (GDPR), a European Union (EU) regulation which formally became law in 2016, will bolster data privacy rights for European citizens.

The regulation itself will standardize data privacy across all EU member states and mandate that organizations who process, store, access or market data will be required to maintain certain standards and implement protocols around data access, consumer authorization and data breach notification.

Why The Two-Year Gap?

The two-year gap between 2016 and 2018 was put into place purposefully to allow time for organizations to learn more about the requirements and include protocols to boost their own internal compliance management systems.

The requirements are robust and the implications for businesses can be imposing given the level of knowledge and danger of data mishandling currently present in data security issues.

Overall, How Do You Know If You're Affected?

As stated above, this regulation affects those who serve EU member states. And, the regulation does have implications for US-based firms who may have access to EU personal data. So, you should know that based off your customer database. Keep reading to learn more, though, as it impacts a lot more organizations than you may initially assume.

Repercussions for Noncompliance

Fines for noncompliance are hefty and can be as much as 4% of global revenue or 20 million Euros, whichever is less.

Given the massive data breach of Equifax in 2017, GDPR could have resulted in massive fines for the EU operation of Equifax had the law been active at the time of the data breach. Equifax reported additional breaches shortly after the US breach, which also impacted South American and EU citizens.

Across the Pond in the UK

GDPR was passed prior to Brexit so it remains to be seen how the UK will adopt or implement the more robust requirements of GDPR from its current data privacy laws. However, any UK firm managing data on EU subjects would be subject to the fallout.

GDPR’s Impact on Financial Services

In mortgage banking, security brokerages and like industries part of the transactional processing will be performed by third party vendors.

Take for instance Equifax and CoreLogic - two giant data aggregators with vast amounts of personal data. Since both entities operate globally, there is concern that EU data is being stored and accessed within the two organizations, but also stored in other systems such as data centers or the cloud. Under the GDPR regulation, cloud providers are not exempt. 

GDPR’s Impact on Housing Finance

For mortgage banking, on the loan allocation (1003), lenders ask for an applicant to disclose if they are a US citizen. If the answer is no, then the applicant would be required to provide additional data.

Due diligence would require that proof of citizenship is obtained and verified. This search should be easy to run and would allow a financial institution to account for EU citizenship data that it may have collected. At the very least, the financial institution would be able to then account for all the places this data may have been transferred to as part of the financial transaction.

Anyone accessing or processing this data should trigger the GDPR review to ensure that they are complying.

Vendors which may trigger this additional review:

• International Credit Vendors
• Global Data Aggregators
• Translation Services
• Push to Pay Fintech
• Cloud Providers
  
  

Rights and Responsibilities

Let’s go through rights and responsibilities related to GDPR’s recent expectations. Some of these rights and responsibilities are not absolutes and may not be enforced based on certain requirement. This is not an exhaustive list, so it should not be used as a check-box activity but rather used as a guide.

Rights of the individual/customer of the organizations affected by this regulation:

• The right to refuse to become a data subject
• The right to be informed
• The right to restrict processing
• Data Portability
• The right to be forgotten
• Rights related to automated decision making and profiling

Responsibilities of the organization affected by this regulation:

• Must appoint a dedicated Data Protection Officer depending on size of organization and nature of business.
• Is responsible to report a data breach to the impacted EU citizen and Data Privacy Agency.
• Must monitor the access to this personal data and audit for reason behind any organization accessing the data.
• Has 72 hours to report data breach from the time of discovery. This means confirmed discovery not suspected and varies by definition of serious impact to the subject.
• Must issue clear “Opt IN” and approval language for the Individual to acknowledge their rights under GDPR.

Personal data is classified as information which can be used to identify an EU citizen. This includes a name, photo, email address, bank details, social media posts, medical information and computer IP address.

Reviewing Your Fourth Party Relationships Will Help You Stay Ahead

Since the use of independent data centers are viewed as fourth parties, it is evident that the EU law GDPR may have a global impact.

The requirement for robust third party risk management oversight will be highlighted as an important area of concern for organizations who outsource processes or data and, in turn, it makes for a strong case that third party risk management must go deeper than just the initial third party relationship. Follow the spider web of who has access to PII (Personal Identifying Information), not only for your primary customer base but also those international third and fourth parties you may have conducted business with.

With that in mind, now is the time to take stock of your customer database and review the vendors which encounter their personal information. 

Learn more about vendor data security by downloading our infographic on the CIA information security triad.