The finance team, located in a country outside the European Union, is part of its company’s compliance solution for the EU-enacted General Data Protection Regulation. GDPR applies to personal data protection and data security for EU citizens and “habitual” EU residents. Complying with the GDPR provides some challenges for the finance team.
What is GDPR?
GDPR is a strict EU data privacy law, with penalties, that requires compliance to protect personal data processed by companies in non-EU locations that do business with European Union Member States residents. Financial services companies, including financial institutions, and payment service providers (PSPs), must also comply with GDPR. GDPR is General Data Protection Regulation.
The free movement of personal data is allowed within the EU, without restrictions imposed by the GDPR. For organizations in EU Member States in Europe, Regulation (EC) No 45/2001, an EU law, applies instead of GDPR. But the GDPR requires that other Union legal acts be consistent with GDPR on personal data protection within the EU.
What are Personal Data and Personal Data Breach in GDPR Compliance?
In GDPR Article 4 definitions, personal data is “any information relating to an identified or identifiable natural person,” referred to as a data subject. A personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
According to the GDPR definition, “an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
For personal data with personally identifiable information to apply to GDPR, it meets the following test. The personal data is processed by a data controller or data processor either automatically or manually if part of a filing system.
Data subjects, according to the General Data Protection Regulation (GDPR), are citizens or “habitual residents” of EU Member States (countries).
The data controller needs to give their regulator, the supervisory authority, a personal data breach notification within 72 hours of becoming aware of the personal data breach (or the reason for a delayed notification). The data processor informs the data controller about breaches that it observes. Article 33 of the GDPR describes what to include in a personal data breach notification.
If the sensitive data breach is “likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.” If the data controller meets certain conditions described in Article 34 of the GDPR, then the data subject doesn’t need to be informed of the personal data breach.
What are Potential Penalties for Non-Compliance with GDPR?
Regulatory penalties for non-compliance with GDPR include damages incurred by the data subject, supervisory authority’s administrative fines, and possibly reprimands. Legal obligations for non-compliance with the EU’s General Data Protection Regulation can be substantial amounts.
Data subjects can seek compensation from the data controller(s) or data processor(s) if they incur material or non-material damages connected with GDPR. To be liable for damages, the data controllers or data processors must cause the event.
Supervisory authorities can impose penalties, including administrative fines for infringements of specific provisions of the GDPR privacy law and non-compliance with a supervisory authority’s order, according to Article 83. The administrative fines are “up to 20 million EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover [sales] of the preceding financial year, whichever is higher.”
For minor infringements of GDPR or if it would result in a “disproportionate burden to a natural person,” a reprimand may be issued instead of an administrative fine.
GDPR Data Protection in the Payments and Financial Services Industry
The GDPR adds some requirements to the financial services industry, including banks, other financial institutions, and payment service providers (PSPs) regarding informing data subjects, providing data portability rights and actions, and issuing timely personal data breach notices.
From a payments service processing standpoint, the merchant is the data controller and the PSP is the data processor in the EU-issued GDPR law. The data subject is the customer and cardholder. Personal data is customer data, including personally identifiable card data. Payments service processors handle credit cards and other types of online payment methods used by customers to pay merchants.
GDPR is as essential to enforce as other laws like the U.S. Congress-passed AML Act for anti-money laundering for the financial services and payment services industries. Financial services and payment processing companies are large-scale data processors with high-risk data processing activities subject to the full range of GDPR provisions and penalties.
Does Your Company Need a Data Protection Officer (DPO)?
Enterprises engaged in economic commerce that do systematic and large-scale data processing need to appoint a data protection officer (DPO) to strategize and enforce the GDPR compliance. The requirement for a DPO is not dependent on business size or employee headcount.
How Does the GDPR treat Micro, Small, and Medium-sized Enterprises (SMEs)?
In general, according to Recital 13, micro, small and medium-sized enterprises must still comply with the GDPR. But GDPR makes it easier for these SMEs to apply some GDPR requirements, including record-keeping. Regulators are “encouraged to take account of specific needs of micro, small and medium-sized enterprises in the application of this Regulation.”
The GDPR exempts or relaxes rules (applies “derogation”) for some micro, small, and medium-sized enterprises engaged in economic commerce. These SMEs have fewer than a stated number of employees combined with an “annual turnover” (sales) ceiling and/or an annual balance sheet total ceiling in euros.
An area of less strict SME application of GDPR is record-keeping requirements.
The ceilings for enterprises engaged in economic commerce by size are:
|Enterprise Size||Employee headcount fewer than||Annual turnover (sales) in euros||Annual balance sheet total in euros|
|Medium||250||EUR 50 million||EUR 43 million|
|Small||50||EUR 10 million||EUR 10 million|
|Micro||10||EUR 2 million||EUR 2 million|
How Does the Finance Team Comply with GDPR?
To gain compliance with the GDPR data protection law, businesses must have adequate systems to capture, track, manage, and secure the personal data of EU citizens, inform them, and handle their requests for personal data captured by the system. The finance team should be aware that financial data includes identifiable personal data applicable to GDPR.
Is it possible to track the time period for which the sensitive personal data is held to inform data subjects and comply with GDPR? Is the company’s data retention period adequate to fulfill future requests for protected personal data and in compliance with GDPR time limits?
The finance team is responsible for managing finance, financial implications, cash flow, and company-wide risk management. For finance, personal data can be included in customer data files handled by the accounting and CRM systems and in storing credit card details.
Does a company policy exist regarding the handling and data security of personal data?
Does any personal data need encryption, anonymization, or pseudonymization to make sensitive data not personally identifiable?
Can customer data or other personal data be transferred at the data subject’s request to ensure that your business meets GDPR data portability and information security requirements?
Does your company know how to accept credit card payments over the phone correctly to comply with the GDPR and PCI-DSS requirements, not recording personal data and payment details?
When considering how GDPR applies to your business, consider the IAPP’s suggested risk mitigation strategy for complying with GDPR and protecting data subject rights and freedoms. The IAPP(International Association of Privacy Professionals) article includes locating and complying with any existing guidance on high-risk and large-scale data processing.
When planning to undertake a new project putting data subjects personal data at high risk, the GDPR requires that entities conduct a Data Protection Impact Assessment (DPIA), for which a template prepared by the UK’s Information Commissioner’s Office is linked. (The UK is a former EU Member State).
Finance should ensure that their entity collecting personal data from a data subject informs the data subject in clear and plain language on all of the points required by Article 13 of the GDPR. If the data controller decides to further process the personal data for another purpose later, the company needs to inform the data subject again before further data processing.
A data controller or processor company’s requirement includes letting the data subject know they have the right to request having access to their personal data or have it transferred to a different data controller for data portability, request correction or erasure, object to processing now, or withdraw explicit consent later. The data subject must be informed they can make a complaint with a supervisory authority.
Finance needs to ensure that their business has a data processing agreement (DPA) with all third-party data processors, as required by GDPR.
Summary – GDPR Compliance and Finance Team Impacts
General Data Protection Regulation (GDPR), the 2018 EU data privacy law, provides data privacy and data protection for EU residents and citizens. GDPR is applicable in countries outside the EU Member States, which comply with similar requirements in other EU laws.
For the financial services and payment service provider industries in eCommerce, GDPR is as essential to enforcing as other laws, like the U.S. Congress-passed AML Act for anti-money laundering. Financial services and payment processing services are large-scale data processors with high-risk privacy data subject to the full range of GDPR provisions and penalties.
Finance teams in non-EU countries that participate in implementing GDPR compliance must understand the regulatory provisions and impact of GDPR on business operations and processing activities in its systems.
Sensitive customer data processed as part of financial data is the personal data of data subjects, with privacy and security requirements regulated by GDPR. Adequate cybersecurity is part of GDPR compliance.
The GDPR personal information security, data privacy, and data protection law generates new responsibilities and challenges for the finance team and the entire business relating to the processing of personal data of “habitual” EU residents.