What happens when a cookie of a Brit in London lands in the server of a community bank in the U.S. if, on an off-chance, the Brit browses the bank’s website?
It’s unclear, experts say, but U.S. banks — especially small and midsize banks — need to go find out because the European Union’s General Data Protection Regulation (GDPR) could affect them, unlike the EU privacy regulations before it.
The countdown is ticking on GDPR’s website. The law, approved by the European Parliament in April 2016, will take effect in late May 2018. It will apply to “all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location,” the website said.
“Basically any institution around the world that has an EU citizen, a European subject, is subject [to the law],” said Steve Ehrlich, lead analyst for emerging technologies at Spitzberg Partners LLC, a corporate advisory firm. “An EU subject doesn’t have to be a customer or employee.”
The law can apply even if the company does not have a European business arm, said Pam Dingle, principal technical architect at Ping Identity, a firm that helps companies manage their personnel’s identification needs.
Some of GDPR’s provisions will require banks to behave differently than under existing U.S. regulations. One example is that banks need to report data breaches to authorities within 72 hours of their discovery. “That’s not a lot of time,” Dingle said.
Large banks are already familiar with the law, said Andy Roth, partner at the law firm Cooley LLP, who focuses on legal issues surrounding new technology. But smaller banks “are just recognizing that they have a potential exposure” and “are now starting to understand what they need to do to get in compliance.”
GDPR also requires companies to provide clients with full access to data about themselves.
“A European data subject can make requests on what data the bank has on it, and can make changes and request deletion of the data,” said Roth, who is a former chief privacy officer at American Express. “These require business practices that banks don’t have in the U.S.”
Companies with multiple legacy systems will face one of the toughest challenges, Dingle said.
“The first problem you will have when you deal with GDPR is that you have to somehow be able to reconcile how the data flows between all these different databases, even though they were made in different times, they may have different formats [and] the data might be called something different,” she said. “That’s why a lot of these beautiful ideas of GDPR are very difficult in reality for people to execute on.”
Employees’ attitudes toward personally identifiable information need to change, too, Dingle said. Simple things such as exporting company data to a spreadsheet so one can work at home can put customer data at risk, she said.
When found in violation of GDPR, a firm can be fined 2% or 4% of revenue. “There’s real enforcement risk,” Roth said. That said, Roth and Ehrlich agreed that fines are higher for the worst offenders, while first-time violators face less risk.
Unlike some U.S. regulations, GDPR is not a law that banks can just say they substantially comply with, Ehrlich said, because compliance for GDPR needs to be demonstrated through documentation.
Roth agreed, saying that GDPR drives companies to develop documentation ahead of time — “not waiting for something to happen and then investigate it.”
While larger banks are on the way to compliance, many community banks are assessing whether the law will apply to them, and what needs to be done, Roth said. Both Ehrlich and Roth said whether a small bank falls under GDPR is a case-by-case issue.
Some matters, such as the browser-cookie question, are open to interpretation.
Ehrlich said most banks “would be subject to GDPR because the definition of privacy is changing” and cookies can be within its purview.
But Roth said that “merely having a website that allows a few users to come from Europe, I’m not sure that it triggers the requirement.”
Community banks lack in-house experts who understand what GDPR means for them, said Ehrlich.
Guidance from the regulators on compliance will be anticipated, said a community banker who spoke on condition of anonymity. His bank has been assessing where it falls short of GDPR standards, and reaching out to federal regulators, vendors and consultants to gauge the potential impact of the law.
GDPR can be a challenge for community banks, but it could also be an opportunity, Ehrlich and Roth said.
“Larger banks have evolved to focus on data, and they understand how important data and the proprietary advantages in data are, especially in the digital world,” Roth said. Community banks have been less focused on data, he said. “It is one of the things smaller banks need to do.”
A Harvard Business Review article in 2016 said that banks have achieved higher sales and growth from extensive analysis of their customers’ data.
Clients are willing to trade their information if they can get equitable return, and they feel they have control over their data, Ehrlich said. “For banks, it can be anything from a higher interest rate, or loyalty program, or prepaid gift card.”
Privacy concerns will rise with the advent of the internet of things, since smart devices will be able to collect large amount of personal information, Ehrlich said.
USAA recently joined Capital One, American Express and some other financial institutions to offer virtual assistant service on Alexa, Amazon’s artificial-intelligence-powered voice interactive device.
When the internet of things becomes predominant, “people are going to be very interested in what data is being collected about them and for what purposes,” Ehrlich said.
While not all banks may be affected by GDPR, privacy practices in the EU and the U.S. do overlap, Roth said.
Banks "should focus on operational risk management and information governance because these are unifying across the schemes,” Roth said. “That’s the best thing they can do for themselves in the future.”
Corrected September 20, 2017 at 8:53PM: An earlier version of this story understated the number of hours companies would have to report a data breach.