While the European Union’s General Data Protection Regulation (GDPR) deadline for compliance expired on May 25, 2018, questions remain regarding whether U.S. companies, including credit unions, should be compliant.

At least one analyst, however, is confident in the path CUs should take moving forward.

“This is important legislation and it is a first for many organizations,” said Sankar Krishnan, EVP of capital markets & banking at Capgemini.

The Paris-based consulting, technology services and digital transformation firm recently conducted a survey titled “Seizing the GDPR Advantage: From mandate to high-value opportunity,” which queried 1,000 executives and 6,000 consumers across eight markets to explore GDPR attitudes and readiness.

While 63 percent of U.S. respondents said they would be “largely or completely” compliant by the deadline, only 55 percent of British businesses reported that compliance measures were in place.

“GDPR has ramifications across industries. My personal view is that well-regulated industries are used to complying with regulation in a ‘business as usual’ mode,” said Krishnan. “Financial services, health, telcos and automotive industries will do better than others initially, as they are used to shifts in legislation.”

Should your credit union be GDPR complaint?

Since GDPR is EU-based legislation, many U.S.-based companies and organizations, including credit unions, are rightfully confused as to how this regulation impacts respective business models.

Robert Cattanach, a partner at the international law firm Dorsey & Whitney
Robert Cattanach, a partner at the international law firm Dorsey & Whitney

“Any U.S. company offering goods or services to EU residents, such as a company with a website, is likely required to comply,” said attorney Robert Cattanach, a partner at the international law firm Dorsey & Whitney. Credit unions operating in Europe – whether on U.S. military installations or elsewhere – should be complaint or actively working toward compliance, he added.

“GDPR allows private citizens to lodge complaints and even bring class actions,” he explained. “All it will take is one disgruntled customer or employee whistleblower to spotlight someone who thought they could fly below the radar for a few years.”

Both the Credit Union National Association and the National Association of Federally-Insured Credit Unions have put together resources for credit unions on how to prepare for GDPR and what steps they need to take to ensure compliance and how it impacts them.

Dave Hartley, principal at UHY Advisors, Inc., said prior to the Facebook/Cambridge Analytica data-sharing “debacle,” it may have been “feasible” for U.S. companies that do not conduct business with EU businesses or consumers to ignore GDPR, but the playing field has changed.

“Even if your company is not subject to GDPR, UHY experts believe it won’t be long before similar privacy legislation arrives in the U.S.,” he noted.

Krishnan explained that GDPR-related penalties and fines will be imposed by “individual member-state supervisory authorities” based on the type of infringement, intention of the infringement, possible mitigation, preventive measures and the controls that are in place.

“The lower-level infringement penalty is 2 percent of global revenue of the prior financial year or 10 million euros, whichever is higher,” he said. “The maximum is capped at 4 percent of global revenue, up to 20 million euros. The penalty will depend on the facts and circumstances of each case.”

Key considerations

For credit unions determining how they should respond to GDPR, Hartley provided key questions for executives to consider, which include:

• Do we collect and/or process the personal data of EU citizens?
• Do we know all the places within our organization where we store consumer data?
• Are we prepared to respond to requests from EU citizens asking about data we store about them?
• Do we know how to purge all data on an EU citizen if they exercise their “right to be forgotten” from our systems?
• If we were to experience a data breach, could we alert authorities within 72 hours and provide them with a data map of our systems?
• Have we updated our privacy policy to comply with GDPR requirements?

“GDPR represents a new set of privacy requirements that many IT shops in the U.S. have never dealt with before,” noted Hartley. “Companies can create a competitive advantage and save a lot of headache regarding fines if they proactively address privacy requirements in their businesses now.”

GDPR benefits

Protecting credit union and member data from fraud and hacking is an ongoing battle. In Krishnan’s view, those credit unions that are proactive and begin adopting GDPR guidelines will better serve respective members and reduce long-term data management costs.

“At its essence, the GDPR promotes a lean and agile data culture. When you do not have gazillions of data, your data lake becomes almost dry and it does not need an army to maintain it,” he said. “The technology needed to maintain agile and lean data is a lot lower, and the resultant compute and storage space will also shrink.”

Cattanach and Krishnan both advised that credit unions begin a thoughtful and deliberate journey toward GDPR compliance, but said not to unnecessarily rush the process.

“Credit unions should start looking at data gap analysis and have a plan in place within one year,” said Cattanach. He added that if there is GDPR-related infringement, organizations that can clearly demonstrate proactive measures were taken will likely not be fined or troubled as much as an organization that did not take any action.

Organizations do not have to be 100 percent compliant today or in the near term, but should be working toward that goal, added Cattanach.

“If your appetite for risk is voracious, you might avoid detection for a while,” he said. “But if you completely ignore GDPR and get caught, the financial exposure to penalties and long-term scrutiny could be breathtaking.”