Clock Ticks on EU Privacy Regulation
For financial technologists who are looking for a distraction from MiFID II’s January 3, 2018, deadline, firms doing business with EU-based counterparties have less than 250 days to meet the EU’s General Data Privacy Regulation, which goes into effect on May 25, 2018.
The GDPR, which is the largest data privacy overhauls in Europe in the past 20 years, will cast a long regulatory shadow beyond the EU’s borders.
Under Article III of GDPR, if a firm has an establishment in one or more of the EU’s member states or makes use of equipment within one or more of the member nations, it will need to comply.
Unlike previous data privacy regulation, GDPR keeps its criterion of the establishments so that the regulation is applicable to the processing of personal data in the context of the activities of an establishment of the data’s controller, or third-party processor, regardless whether the processing is taking place in the EU or not, Gwendal Le Grand, director of technology and innovation at Commission Nationale de l’Informatique et des Libertés, explained during a webinar on data privacy.
“Basically if you are making business in the EU, you are going to need to comply,” he added.
However, if a company outside of the EU has EU clients, it does not mean that they will be captured by the pending privacy regulation automatically, according to Jules Polonetsky, CEO of Future of Privacy Forum and fellow presenter.
“If you are anywhere in the world and dealing with a person in the EU, you have to do something; the question is: ‘How much,'” he said. “If you are monitoring someone’s behavior, you are swept in. And if you are doing anything to market to EU citizens even though you’ve never stepped foot into the EU or have employees or other connections, you are indeed going to be captured by the regulation.”
The GDPR defines personal data as any data that can be used to directly or indirectly identify a natural person-name, photo, email address, bank details, medical records, social media identifier, static IP or MAC address.
The regulation also does away with the broad-based privacy consent that businesses typically have used and offers no grandfathering for existing personal data, according to Gary LaFever, co-founder and CEO of data privacy vendor Anonos.
Firms with data lakes or warehouses will need to address the existing data, he noted.
The EU has given regulators a hefty cudgel to ensure business comply with the regulation. Depending on the nature of the infraction, regulators could fine the offending firm the greater of 20 million euros or 4% of its global revenue.