How Will the GDPR Affect Your Bank?

The GDPR and your bank

Visit our Resources page for more great insights into banking and other financial news.

Data privacy is a hot topic right now due to the European Union’s (EU) landmark data privacy regulation – GDPR. In 1995 the EU developed the Data Protection Directive. That directive has become outdated due to skyrocketing internet use combined with cloud computing and the social media frenzy. Although the EU has always had tighter data privacy regulations compared to the U.S., the GDPR takes a huge step forward in protecting a consumer’s data privacy. So, what is the GDPR and how might it affect your bank?

What is GDPR?

The initials GDPR stand for General Data Protection Regulation. The European Union is seeking to protect its people by requiring individual consent for organizations to collect and use personal data. This includes names, photos, email addresses, bank details, posts on social networking sites, medical information and the list goes on. The EU’s goal is to strengthen data privacy and give enhanced security protection to its citizens.

According to the new regulations, consumers hold control of their data. This forces the organizations to be more diligent with data protection. Consumers have the right to a copy of the information that organizations retain about them. They have the right to determine what information must be “forgotten” – data erasure – by organizations and what data they want deleted.

And GDPR not only applies to any organization working within the EU, it also extends to institutions outside the EU that provide goods or services to customers or businesses within the EU. The organization doesn’t have to have a physical presence in the EU, but they are under the same strict regulations.

And the stakes are high for non-compliance. An organization can be fined 2-4% of its annual global revenue for violations. So institutions worldwide are taking this regulation seriously.

What are some things your bank should know?

First and foremost if you haven’t taken any action on GDPR, you need to. Large international banks already know that the regulations apply to them, and they are working on compliance.

Smaller U.S. banks may not know if it applies to them. Running a privacy risk assessment is a good first step to find out. This can determine if your bank has any clients living in the EU that you do business with. The good news is if your customer is living in the U.S., they are outside the scope of the rule. They must reside in the EU when the data is collected. Your bank may find clarity from the EU’s GDPR website.

Having a strategy for how your company will deal with EU citizens’ data is very important. Will you treat EU citizen’s data separately from other customer’s data? Will you have just one data strategy for everyone, and it will be GDPR compliant? One specialist recommends developing a data map to help strategize and flag potential issues.

Be aware that the reason for collecting data has to be limited and explicit. No more open-ended data collection. Also, your bank needs to have a way for clients to easily withdraw consent and to perform data erasure when the client requests it.

Customers need to have access to any of their personal data that is being processed when they request it. They also have the right to transfer that data between different service providers.

How can your bank be proactive with data privacy?

As all of these sweeping reforms come through from the EU, many banks are anticipating a time when U.S. customers will demand the same data protection here at home. Even if you have no EU customers, starting to research and find more ways to protect your customers’ data is a good idea.

After the immense Equifax breach that compromised 145.5 million consumers’ data, data privacy has become an even bigger concern to American consumers. Be proactive by starting direct discussions with your clients about data. Initiate those discussions and educate your customers about what you do with their data. Show your customers that you are concerned about their data privacy and begin confirming their consent to hold data.

Some U.S. banks are paying close attention to their European counterparts to see how they handle the GDPR. These banks are working to create their own data exchange standards with the purview that it’s better for banks to establish their own standards than to have an outside agency dictate it. Maybe this is an idea your bank could begin to explore.

All this information about data privacy can be overwhelming and our advice is not legally binding, and as always, we highly recommend that you speak with a professional legal team to make sure you are compliant with any new regulation.

What are your thoughts on the GDPR? What have you done to safeguard consumer data?

Don’t forget to visit our Resources page for more financial news and other great insights! If you’re interested in learning more about ADM and Smarter Cash, visit our Deposit Management page or contact us.


Bhattacharya, Suman. How U S Banks are Preparing for the GDPR.” Tearsheet. April 16, 2018.

Irwin, Luke. “How Banks Should Prepare for the GDPR.” IT Governance. March 19, 2018.


*American Deposit Management Co. is not an FDIC/NCUA-insured institution. FDIC/NCUA deposit coverage only protects against the failure of an FDIC/NCUA-insured depository institution.