03 Oct Private bank compliance with CCPA and GDPR
The California Consumer Privacy Act (CCPA) of 2018 is probably going to be amended during 2019, and even then it will not be introduced until 2020. However, its primary obligations which will be imposed on private banks, and the rights that it will provide for consumers are likely to remain as they stand.
As with the European Union’s GDPR (General Data Protection Regulation), now in its second year of implementation, private banks are unlikely to gain any benefit by delaying implementation of its main conditions. Both of these pieces of legislation are going to have far-reaching effects on the way in which private banks use customer’s information and this compliance process will also have to be matched in some way with the multinational banks that operate alongside the smaller private operators.
GDPR and CCPA have a number of parallels. The CCPA does have a number of obligations that extend beyond those of the GDPR and at the same time the GDPR has requirements that the CCPA does not cover. It is clear that a lot of work is likely to be required in order to comply with both regulations in terms of both technological and operational aspects. However, it is important for all those concerned to fully comprehend the expectations set by each law for the protection of the privacy of consumers
An outline of GDPR and CCPA
The CCPA was first brought into law in June 2018 and was then amended. It was the first law in the US to provide consumers with much more control over how organisations can use their personal information. Individuals are provided with new rights with regard to how their personal data is accessed, when and how it is deleted, opt-out opportunities, understanding the sources of data and who it may be sold to and an umbrella non-discrimination policy. New requirements are also imposed on organisations about the collection of data belonging to children and teenagers.
The law was amended to afford a half-year extension to give time to California’s Attorney General to draft and adopt the implementing regulations of the law. However, it will be put into effect on January 1st, 2020. The same amendment also provided for a delay of six months in its enforcement after the implementing regulation was published. But the law has a built-in one year ‘lookback period’ which insists that organisations should have begun to keep records from January 1st 2019.
Penalties range from $2,500 to $7,500 for each abuse of the law and consumers are given a private right of action to be able to recover damages of between $100 and $750 for each ‘breached record’ where organisations have failed to introduce and keep to reasonable processes and practices of security and a data breach has subsequently occurred.
The GDPR, which has already been in force for a year, is also a radical development in legislation in which the rules that control and manage data flowing between the different countries of the European Union (EU) are standardised. This also means the strengthening of the rights of individuals inside the borders of the EU when their data was collected (usually called data subjects) and who find that their data is being used by businesses. In order to achieve its aims, the GDPR has clear rules and conditions for those titled data controllers (those who are responsible for deciding on the purpose and methods of processing) and those who are data processors (anyone following the controller’s instructions. These regulations control the way in which these two must work together, and, in a departure from previous laws on data protection, both the controller and the processor can be liable for damages brought on data subjects. As with the CCPA, the GDPR presents data subjects with rights concerning their information, such as rights of access and of erasure. Significant fines of the higher of up to €20m or up to 4% of the total annual revenue of the whole liable company worldwide are built in to the GDPR.
And what about my private bank?
Both the CCPA and the GDPR have a reach and application beyond their territory, and this is very important to appreciate. The requirements apply to organisations which are outside of the state of California and the EU, respectively. So now the actual physical presence of the bank, in terms of its branches and offices, is not a defence against non-compliance.
With regard to the CCPA, its reach is applicable to any company or their business partner(s) when they cross a minimum of one threshold from those listed. It is also necessary to decide whether any exceptions or exemptions exist which might apply. The CCPA, for example, does not apply when data is in the following categories:
- Information that is widely available to the public, which is defined quite narrowly;
- Information concerning medical conditions, which is already governed by state or federal health information privacy laws
- With some exceptions, such information as is regulated by the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, or the Driver’s Privacy Protection Act 1994.
The GDPR also has a few exemptions, but it is a very far-reaching and all-encompassing piece of legislation. Even if private banks are not in the EU, if they expect to provide services or goods to data subjects who are in the Union, they must make sure that they fully company with the law enshrined in the GDPR. An advisory body, the Article 29 Working Party, suggests that EU citizens simply having accessibility to an organisation’s website or contact details is not sufficient to bring them into applicability to the GDPR. They have provided useful details of factors that could help organisations with an analysis of this area.
Managing Information securely
Although the implementing regulations of the CCPA are not yet in force, it is clearly very important for private banks to implement actions promptly to set in place appropriate and significant compliance procedures to match the CCPA. Working to comply with the GDPR has been made a little easier as private banks do have access to various forms of guidance that have been issued by data protection authorities over the last twelve months.
Most businesses and private banks should be working to update and/or review their processes and policies, particularly with regard to website use, to make sure that they are complying with both the GDPR and the CCPA. It is likely that they will need to add new staff members with specific training in dealing with consumer’s requests correctly. Such ‘experts’ in legal compliance can undoubtedly have a major effect in reducing the difficulties and the time taken in dealing with client issues. Outside experts are able to assess levels of current compliance, bring policies and procedures up to date and, where necessary, develop and put in place new processes or implement compliance functions that did not previously exist with the specific purpose of monitoring the operation of privacy processes.
Undoubtedly, both the GDPR and the CCPA have raised awareness of the issues surrounding data protection and cyber-security. Experts in these fields will increasingly be a vital part of the banking team as each bank develops and then monitors the controls they are putting in place and reviews how effective they are in protecting customers’ privacy. Even when businesses decide to manage this project alone, instead of hiring new staff or bringing in temporary experts as required, it is likely that they will need to make some significant changes as they draw this area of work into the main culture of the organisation. Regardless of the changes that may take place in the make-up of the CCPA as a result of anticipated amendments, it is already clear that there are some particular steps that should be taken to prepare for and address the following matters.
Both laws have a large number of expectations in common regarding information security programmes. The GDPR requires organisations to “implement appropriate technical and organisational measures”, and the CCPA will soon insist that they “implement and maintain reasonable security measures”,
Previously many individual states within the EU had tended to rely on the ISO 27001 information security standard and California had made use of the 20 Critical Security Controls of the Centre for Internet Security as a minimum level of security. These widely accepted standards are in place to protect the data and systems of organisations, but there are other systems also available now. When a private bank chooses a risk control mechanism it must be able to justify its choice to regulators with regard to its relevant legislation and be able to give a clearly thought out rationale for its use.
How to map and keep a record of data
Any bank that can be clear about how it collects, processes or sells its data will be in a good place to meet the requirements of its respective law. It will then need to be able to separate information that is ‘personal’ from that which does not fit that category. The GDPR protects information that relates to an ‘identified or identifiable natural person’. But the definition used by the CCPA is much wider and embraces any information that ‘identifies, relates to, describes, is capable of being associated with, or may reasonably be linked, directly or indirectly, with a particular consumer or household’.
The data inventory requirements of the two pieces of legislation are different in a number of ways and private banks will need to do their homework before they can successfully complete any data mapping exercises. The CCPA, for example, does not cover data that is used only once and not sold. It only covers material that is kept for continuous use. A particular category of ‘sensitive data’ exists in the GDPR requirements, insisting that organisations take much more rigorous measures to protect this data than for other categories. Private banks will, in this case need to specifically identify the various categories that they have set up in their records, where the data was sourced from and also what ‘business purpose’ they are using to categorise the information.
Keeping a more careful and detailed record of their data will certainly aid banks in keeping governance and security watertight and beyond that it will also promote an approach that seeks to put in place extra measures or processes to ensure it does respond effectively to inquiries from regulators and legally binding applications from customers.
Managing the rights of consumers
Consumer rights are provided in both laws, with regard to access to data and the removal of that data, among other areas. But there are again some differences in those laws. Under the GDPR, material can only be deleted if the consumer’s request meets a range of conditions, whereas for the CCPA, although the right is not absolute, it is certainly broader. As an example, a client of a bank who has a loan is not in a position to have all of the data on that loan removed. In similar fashion, although the entitlement to disclosure or access under the GDPR and the CCPA are comparable, the GDPR provides for customers to obtain broader data access but the CCPA only provides for firms to provide a written disclosure.
Holders of data should certainly be working to reduce the data they hold about customers to the lowest possible practical level and be able to give clear reasons why this data is being maintained. Alongside this, it is essential that information security and technology teams cooperate with other business units, like legal, operational and compliance, to ensure clear and effective processes are in place that can respond promptly and within the requirements of the law to customer requests.
Making personal data anonymous
The CCPA requires that organisations are able to ‘de-identify personal information and the GDPR words it as ‘anonymise’. However, at present it is only the GDPR where this is promoted whereas the CCPA holds it still as a voluntary strategy for compliance. The aim of truly de-identifying and anonymising data is a challenging objective and will certainly mean that organisations will need to enforce technical controls to make certain that the information cannot be re-identified. Within the GDPR the process of pseudonymisation is allowed, meaning that data cannot be traced back to any particular individual without the provision of additional information. Such data is still considered as personal data, but when it has been de-identified and anonymised, it is not. There are security consultants who can assist private banks in this process and ensure adherence to the standards now required.
Moving forward from here
GDPR has undoubtedly raised awareness about data privacy in a very important and significant way. Large fines have already been imposed by regulators on those who have not complied appropriately. It is certainly not possible to delay compliance any longer with substantial risk.
In the United States, a large number of private banks are likely to begin to adopt the CCPA, although it is only officially required for Californian consumers. This is because maintaining different processes for clients who operate both in and out of California adds complexity that banks probably feel they could do without. In this way, it is quite possible that the standards of the CCPA could eventually be adopted nationwide. If you are a private bank, it is vitally important that you begin your compliance process now.
If you are in the position of needing to protect consumer data under both jurisdictions, then it is likely that you will need to make significant efforts in the coming year. There are a good number of similarities between the two systems, which will mean that businesses can undertake application of the same standards in their compliance efforts. However, even if you are not obliged to operate under both laws, it could certainly be considered as ‘best practice’ to impose both sets of regulations throughout your entire customer base. Certainly, if a number of states in the US do follow the model laid out in California, this inclusive approach might save much time and effort at a later stage.
Privacy Management and GDPR Professional Education
EIMF offers a variety of training activities for individuals and businesses that want to be educated and become certified in Privacy Management and GDPR. Amongst EIMF’s specialised portfolio of training courses, professionals will appreciate the value that has been added in the region with EIMF’s partnerships with EXIN and the International Association of Privacy Professionals (IAPP). EIMF’s regional associates can obtain the below prestigious and recognised Certifications:
- EXIN Privacy & Data Protection Foundation Certificate
- EXIN Privacy & Data Protection Practitioner Certificate
- IAPP Certified Information Privacy Professional/Europe (CIPP/E)
- IAPP Certified Information Privacy Manager (CIPM)
For additional details on EIMF’s Privacy Management and GDPR professional education, please view our calendar of scheduled educational programmes found here, or speak with an expert learning and development adviser at EIMF at +357-22274470 or [email protected].