Cybersecurity and Fraud Protection

European Union GDPR Reshapes Data Privacy

This year, one of the biggest regulatory changes in more than two decades has reshaped the way companies and consumers view personal information in the European Union (EU).


Known as the EU General Data Protection Regulation (GDPR), the new regulation harmonizes data protection across 28 EU member states and requires all companies that collect personal data from EU individuals to meet higher standards for the way they process, store and protect that information. The GDPR, which took effect on May 25, replaces the 1995 EU Data Protection Directive with stricter data protection obligations and higher penalties for companies that do not meet compliance requirements.

The GDPR requirements are designed to bring greater transparency about how and why personal data is processed and are considered by industry experts to be the most stringent in the world. The regulation strengthens the rights of individuals to learn the specific personal information companies are storing about them and further limits the use of that personal data. By filing a data subject access request, EU individuals have the right to ask a company to delete their personal information.

Companies are now being held to strict standards about how personal information is used, and many will need to apply rules similar to those already in place at JPMorgan Chase.

“Banking regulations, such as those designed to stop money laundering, require our firm to maintain specific personal information about our Commercial Banking clients,” said Morgan McGrath, Head of Commercial Banking’s International Banking business. “We are very aware that what we do with that information is important to our clients, and we are very careful about protecting that information.”

Adrian Godfrey, Managing Director, Operations Executive for Commercial Banking, added, “Our EMEA Privacy Policy provides a detailed, clear and transparent explanation of what the firm does with personal data, and why it does so.”

The GDPR requires data controllers to maintain tighter measures to protect sensitive personal data and offer a reasonable level of protection from a data breach. Companies are required to perform impact assessments that identify and correct vulnerabilities to help mitigate risk.

“It’s important to understand what a good cybersecurity program looks like and to test your employees with simulations to help protect against unauthorized access to personal data,” said Rohan Amin, Chief Information Security Officer and Chief Technology Control Officer for JPMorgan Chase. “This is an opportunity for controllers to concentrate on those data entry points into the company, and revisit who has access to sensitive personal information.”

If impacted by a data breach, a company must report it to supervisory authorities and affected individuals within 72 hours of discovery. Companies that violate these rules may face fines of up to 20 million euros or 4 percent of the company’s gross revenue (whichever is higher). Individuals affected by a data breach also can be compensated for damages.

“The GDPR imposes additional data protection obligations on data controllers and data processors, so it is important that third parties maintain strong data safeguards including cybersecurity controls and a data breach and incident response plan for a cyberattack,” said John Rastovski, Executive Director, Commercial Banking Cybersecurity and Technology Controls.

GDPR Areas of Focus

  • Accountability. Formally defines accountability and the technical and organizational measures for data controllers to implement.
  • Data Safeguards. Data controllers and data processors must implement appropriate technical and organizational measures to ensure a level of data security appropriate to the risk.
  • Cross-Border Data Transfers. Requires an approved mechanism to transfer data outside the European Union.
  • Records of Processing. Requires data controllers and data processors to maintain records and make them available.
  • Appointment of Processors. Data controllers must use only data processors that guarantee compliance with GDPR.
  • Data Protection Impact Assessments. Appropriate controls must be in place where processing activities are proposed that may result in a high degree of risk to the rights and freedoms of individuals.

Get in Touch and Stay Informed

icon
Loading...