Mark Zuckerberg's announcement last week that Facebook plans to comply with Europe's tough data privacy rules for users nationwide is a large step forward for the new regulation, which gives consumers more control over how their data is gathered, used and shared.

Many large internationally active U.S. banks are already grappling with the General Data Protection Regulation, which takes effect May 25, including spending significant sums in updating their systems. Of the U.S. companies that completed their compliance work, 40% spent more than $10 million, according to a PwC survey conducted last year. One incentive to devote resources to compliance is the fine for violations, which is potentially 4% of global revenues.

“Big banks, fund companies, large insurance companies are all working through large GDPR compliance efforts,” said Jeff Sanchez, managing director, information security and privacy at Protiviti. “For smaller community and regional banks, it’s more dependent on their analysis of what their customer base looks like and what their exposure to European data subjects is.”

Data privacy chart vs. security

Following is a look at the European rules, including which institutions must comply and what is required.

Who has to comply?

It’s not crystal clear which U.S. banks must comply.

Banks that have European offices have to. So do banks that market or sell products or services to Europeans. This can include something as simple as having a website translated into a European language like French or German.

U.S. banks that don’t have a presence in Europe but do have European customers are a gray area. If the bank has only a small number of European customers and they’re living in the U.S., then there’s little need to worry about the new rules.

“There’s no threshold you have to cross before GDPR applies to you,” Sanchez said. “Realistically, if you have one European customer, nobody is going to come after you for GDPR violations, you’re so far down in the priority of regulatory review. I don’t know that if I had one European customer I would go through the effort of complying with GDPR. But technically, you would be subject to GDPR.”

Residency and citizenship aren’t the triggers for GDPR. What matters is where a person is when they’re communicating with the bank. An Irish citizen living in a New York condo with a New York bank mortgage, for instance, is not subject to GDPR.

But if a European customer of a U.S. bank makes a data privacy complaint to EU regulators, that bank will come under GDPR scrutiny.

Banks that have European customers should already be meeting the existing European privacy directive, which includes some of the same requirements that GDPR entails.

“They shouldn’t be starting from a blank slate,” said Richard Hogg, IBM global GDPR evangelist. “They are hopefully already meeting some of the privacy and security needs.”

The struggles of GDPR

One difficult element of the rules for banks is the consumer data rights. For instance, there’s a right to data portability — the customer needs to be able to ask for and immediately receive an inventory of all data the bank has on him or her.

“This is how the whole Facebook thing hit the news,” Sanchez said. “Facebook made this available for individual customers to see what data Facebook had on them. People realized Facebook had all this information they didn’t realize it had.”

Providing an inventory of all the data a financial institution has about a person is difficult, Sanchez said, because it’s not just traditional data types, like bank account number and transaction history, which banks can readily access. It includes information about when the customer visited the bank’s website and what they did there.

“They’re probably capturing in their log every time I sign in and sign off to my online banking app,” Sanchez said. “That’s data they have about me that they have to be able to provide.” If the bank is capturing cookies and IP addresses, it has to share these, too.

The bank also has to remove all traces of a customer’s personal information if she asks it to. This is called “right to erasure.” (In an earlier version of the rules, it was called, somewhat more poetically, "right to be forgotten.")

“In financial services, it might not be reasonable or practical for the bank to remove all the information they have about me, because some of that they may be required to keep for regulatory purposes,” Sanchez said. “So there’s an extensive process of documenting the logic of what data do we have, what data are we able to delete, if we’re not deleting that data, what’s our justification for not deleting it?”

The right to the data inventory and to data erasure applies to data banks gather from third parties like credit bureaus and LexisNexis as well as internal data. It also applies to paper documents and backup files. These requests have to be met within 30 days.

“There’s a lot of discussion and people are waiting to see if there’s going to be additional clarification from European working groups about backup files,” Sanchez said. “From a practicality perspective, it’s difficult to expect companies to go into backup files and remove data from backup tapes and backup sources. From a technical perspective, it would be incredibly difficult to scrub those backup tapes.”

There are technologies that help. IBM, for instance, has personal data discovery tools that can find where consumer data lives throughout an organization and gather it to provide to a customer and/or erase it from the bank’s servers and backups.

But according to Sanchez, there are no tools that do everything. Some are designed to comb through unstructured data, others are focused on structured data. There are separate tools for searching data stored in cloud applications and storage. No technology exists that can find paper files.

“It’s not like there’s one silver bullet able to do this everywhere,” Sanchez said.

Consent is another challenge — asking for and receiving the customer’s consent before doing anything with his or her data. A few vendors including Trunomi have software that automates the consent process.

But Sanchez said that while in the beginning, most banks assumed they were going to have to get consent, as the deadline has drawn closer, banks are using other approaches to justify using a customer’s information.

GDPR offers six legal reasons for companies to collect and process consumers' information.

“Legitimate interest” is the reason being used most frequently. This is where the bank can prove that its use of customer data is mutually beneficial for the customer and the company. For instance, if a financial institution is sharing transaction data with an anti-fraud analytics company, that could be considered legitimate interest — it’s to the benefit of the individual and the company to ensure a transaction is not fraudulent.

“Europeans have made some comments that suggest they believe U.S. companies are overusing legitimate interest,” Sanchez said. “But we do see a lot of use of legitimate interest as the basis for processing instead of consent.”

The presence of a contract is another way to avoid having to ask for consent.

The basic compliance part of GDPR, IBM's Hogg said, is not technology related — it involves people, policy, and process.

“Clients have been scrambling over the last year to put in place process changes and education to make all employees aware of, what is personal data, why we need to meet these regulations,” he said.

There’s also a security component to GDPR, what Europeans refer to as “data protection.”

IBM provides data security including encryption of personal data, as do many other vendors.

Data protection also includes controlling and monitoring who can access and use information, and having an incident breach readiness plan in place that includes notifying regulators of a breach within 72 hours. (New York’s cybersecurity rules also require this.)

“The current average for most organizations to discover they have a breach is 100 days,” Hogg said.

The starting point for GDPR compliance, Hogg said, is to do a privacy risk impact assessment.

“Some organizations haven’t yet started that,” he said. “If they can at least complete their impact analysis, which is still doable in a few weeks, that will give them a gap analysis and help them come up with an appropriate plan they can show regulators.”

The starting point for regulators, he guesses, will be to go after big data breaches and large social media organizations.

Even banks that determine themselves immune to GDPR still have a need to rethink data privacy. Facebook’s Cambridge Analytica scandal has lawmakers considering tougher privacy rules.

Another impetus is American consumers, who have long been naive about data privacy but are waking up to the idea that their personal information is worth guarding. In an IBM-commissioned Harris poll released Monday, 78% of American said a company's ability to maintain the privacy of their data was extremely important. Only 20% said they trust companies to keep their data private.

Editor at Large Penny Crosman welcomes feedback at