Thousands of American companies including credit unions that do business with European customers need to reckon with EU's General Data Protection Regulation, which goes into full effect a year from now.

The GDPR changes the handling of personal and corporate data particularly in terms of personally identifiable information. The regulation, slated for a May 25, 2018 rollout, already weighs heavily on the European business community, but come as a surprise to many U.S.-based enterprises.

Nevertheless, the financial services industry is beginning to evaluate how to tackle the incoming data protection regulation because many expect financial-institutions to wear the biggest bull's-eyes when GDPR finally comes into play. Financial institutions have a little over a year to come up with a comprehensive approach and plan for managing and securing European consumer data.

“If you are a credit union in the U.S. you are likely going to have to comply with this law if you have any members who moved to Europe or live in Europe.” Michael S. Edwards, vice president and general counsel for the World Council of Credit Unions, said.

Edwards, who worked on the issue for WOCCU, explained there is currently a data privacy shield framework that the U.S. Commerce Department allows for transferring data from Europe to U.S. based companies. “That's not going to help at all with this GDPR regulation; you are going to have to comply with both,” he said.

The International Association of Information Technology Asset Managers identified the top five ways the new EU regulations affects any organization:

Data breaches. If a company experiences a data breach, it must report it within 72 hours of the company becoming aware of the incident.

Data protection officer requirement. The EU determined that an individual is necessary to ensure maintenance of data privacy and control at each company doing business in Europe.

Consent of those providing data. The data controller bears the burden of proof for the data subject's consent for specified purposes.

Special handling of data related to Europeans. Any organization that handles personal information of EU citizens such as phone numbers, addresses or any other identifying information will be subject to the GDPR. In addition, any organization receiving the information third-hand will also be subject to the regulation.

Potential for hefty fines and court penalties. An organization faces fines for non-compliance and breaches by the member states to protect personally identifiable information.

“The European commission says you have to have a representative, in each country where a member lives,” Edwards said. In addition, to having a registered agent, Edwards noted credit unions must have a data protection officer and an EU-focused privacy policy for members living in Europe. The fines for not complying with GDPR are up to 20 million Euros (almost $22 million) per violation or up to 4% of the organization's annual revenue, whichever is higher.

“In a breach scenario involving those members' account information the credit union would have to inform the government of whatever country it is within 72 hours,” Edwards explained. He added the fines per breach per person are 10 million Euros (about $11 million) or up to 2% of the financial institution's revenue.

Edwards warned for U.S.-based credit unions, it might worth doing some compliance work in this area even if only one of two members live in Europe. “It's a lot more than credit unions want to risk.”

Gary Southwell, general manager of Boston-based CSPi, suggested, “Credit unions should ask themselves, 'Do we have this type of information? The next question they should ask is, 'Does it matter?'” Southwell also pointed out that GDPR not only goes into effect across all 28 EU nations but the United Kingdom plans to adopt GDPR despite Brexit, at least for now.

GDPR ensures there is one set of criteria to protect individuals and help companies understand compliance issues when it comes to personally identifiable information. “Companies that have European subjects' information, whether they are in the EU or outside the EU, have to comply with this especially if they want to do business in the EU,” Southwell maintained. “If credit unions have European subjects' information it then applies to them.”

CSPi created a system, Advanced Forensic Framework, specifically designed to assist security resources in protecting their most critical data by quickly visualizing, detecting and capturing all suspicious activity that monitors the conversations to the critical assets. “In a credit union that would be the databases that keep the company's records,” Southwell said. “We tried to make it easier to watch the critical data in an organization.”

Southwell added, “For companies in regulated industries it is even more important to solve these challenges in order to adhere to data privacy laws, such as the EU's GDPR. We took a much more pragmatic approach to the problem, placing focus on the data that must be protected at all costs, an organization's PII, financial transactions, and/or intellectual property.”

Joe Garber, vice president of marketing, information management and governance software at the Palo Alto, Calif.-based Hewlett Packard Enterprise, views GDPR as helping organizations identify and secure sensitive information.

Garber said HPE found many organizations are not looking at this as a compliance challenge but as a risk management challenge. “What they need to do is get started; identify what their greatest risks are first,” he said. And with 270 pages, many organizations do not know where to get started.

The potential fines alone are not driving financial institutions and other organizations to take GDPR seriously, Garber suggested. It is the additional ramifications such as lawsuits stemming from not taking the appropriate measures, negative fallout affecting reputation; the need to lock down PII and understanding how to use the information.

HPE Software just launched GDPR Starter Kit, which helps organizations take a critical first step in preparing for the GDPR. This bundled set of software solutions assists organizations to automatically identify, classify and take action to secure information that falls under this regulation.

“We've gone through GDPR and created a number of use cases that that specifically address certain articles within GDPR,” Garber said. “The way we look at things within HPE, it is relatively easy to comply with GDPR because it is really two steps.”

Garber remarked the first is to classify what is in scope with the regulations and identify what PII is. The second is to apply policies to that information. That includes data mapping, analyzing and classifying information and then optionally moving the information to a centralized repository.

The GDPR Starter kit's bundled solutions also help customers conduct a personal data assessment and optionally encrypt data that is subject to these regulations.

Any organization that processes or handles data from EU citizens must become familiar with GDPR and totally comprehend the effect it will have on business processes. Between its sweeping scope and the penalty structure, the EU's pending rules warrant serious attention with an eye to what it will take to ensure full compliance, even by American financial institutions.

“The effective use of technology is critical for organizations to monitor what sensitive EU citizen data they hold, and to apply and enforce policies to protect this information,” Stewart Room, global data protection legal services leader at PwC, said. “With the upcoming EU General Data Protection Regulation set to deliver a fundamental change in how personal data is handled, organizations must ensure they have the right technology and controls in place to meet the new requirements. The natural first step for many is to use analytics tools to understand what personal data is held, where it's being stored, and how to classify it.”