The General Data Protection Regulation (GDPR) regime that will come into force in Europe on 25 May this year will require private banks with a European presence to implement new data management policies, lawyers have warned.
The impending GDPR rules grant EU citizens extended control over how data collecting entities can use their information. In addition, financial institutions are required to obtain additional documented consent from their clients in order to stay compliant.
GDPR will replace the current EU data protection policies that every EU country has implemented. Hong Kong’s Personal Data (Privacy) Ordinance (PDPO) was largely modelled after the EU’s current policies.
The new GDPR regulation is similar to Singapore’s Personal Data Protection Act (PDPA), which was last updated in 2012, but contains more extensive requirements in terms of clients data protection.
Banks are aware but not all ready for GDPR
“Banks are very aware of GDPR, as clients can come from anywhere in the world,” Woon Chooi Yew, senior partner at the intellectual property & technology practice of Dentons Rodyk, told Asian Private Banker.
Yew said banks that either have a presence or are established in Europe will need to ensure compliance with the implementation deadline approaching. Meanwhile, the risk is much lower for banks that have no presence in Europe.
Despite the attention incoming GDPR regime has drawn, not all banks are ready for its implementation, Ken Chia, principal at Baker McKenzie Wong & Leow LLC, told Asian Private Banker.
“The big European banks started the preparation a long time ago, but for smaller local banks with only a little business in Europe, the preparation work might take a longer time as they will generally have fewer resources,” Chia said.
Training is needed instead of IT system change
Meanwhile, Yew said that as Singapore’s current data security rules are generally in line with the GDPR, banks that are already compliant with PDPA only need to make a few adjustments to their existing policies.
However, she points out that differences include “the right to be forgotten” — a rule missing from Singapore’s PDPA. Under GDPR, clients have the right to request that banks delete information submitted by the client, should a list of conditions be met.
“Whether a bank needs to give effect to such request depends on whether the bank has a legitimate right to retain the information, for example, in relation to AML use,” said Yew.
Another difference Yew illustrated is the need to obtain consent when distributing marketing materials to business contacts. Business contact information is protected as personal data under GDPR — but not under the PDPA.
In general, however, banks do not have to make major changes to their IT systems in order to be GDPR compliant, but they do require training and new policies on data processing, Chia said
“Most of the banks have previously dealt with European privacy laws, but it doesn’t mean there isn’t a lot of additional work imposed by the new regulation,” he added.
Heavy penalty raises concerns
Once implemented, banks that violate GDPR would face a maximum penalty of 4% of global annual turnover – which is much higher than penalties imposed by privacy regulators in other parts of the world.
Another issue is uncertainty regarding enforcement action when it comes to cross-border transactions that involve non-EU member jurisdictions.
“As the regulation is only going to be implemented on 25 May, there is a lot of uncertainty at this stage,” said Yew.
“It is still unclear how the regulators in different countries within the EU would work with one another in investigation and enforcement proceedings, and how investigations on organisations not having a presence in the EU would be carried out.”
Chia expects penalties for GDPR breaches are likely to be consistent with penalties imposed by national-level jurisdictions over time. Closer cooperation is also expected for non-EU member states in data breach cases.
“Singapore is a global hub and the local regulator can cooperate with the EU if breaches occur in Singapore which involves EU citizens or corporations,” said Chia.
Data protection has become a priority for a number of financial regulators. China implemented its first data protection regulation last June, and both Hong Kong and Singapore have published consultations on regulating robo-advisors, which involve the discussion on how banks should be cognisant of data protection and the scope of liability when harnessing big data and artificial intelligence.