What is the General Data Protection Regulation (GDPR) and when does it come into effect?
The GDPR (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for individuals within the EU.
It establishes a framework of rules to protect the personal data for European Union (EU) data subjects. It also addresses export of personal data outside the EU.
The GDPR takes effect May 25, 2018.
Who does the GDPR affect?
The GDPR applies to companies operating within the EU that process personal data.
It also applies to companies outside the EU that offer goods and services to individuals in the EU.
What constitutes personal data?
Personal data means any information relating to an identified or an identifiable natural person.
Potential examples of personal data are:
Named user ids
Personal card numbers
Account numbers of individuals
Financial data relating to any individual
IP addresses which can be tied back to an individual
Location data relating to an individual
Online identifiers such as IP address.
Does FIS have a GDPR Compliance program?
Yes. FIS has undertaken an enterprise-wide review and we are updating our processes and procedures to be fully compliant with GDPR by the effective date.
Does FIS have a Data Protection Officer?
FIS employs an EU Data Protection Officer as specified by the regulation. Patrick O’Kane, the FIS Data Protection Officer, can be reached at Data.Protection@fisglobal.com.
Does FIS use subcontractors to provide services to my organization? If yes, how does FIS inform my organization, as the controller of the personal data, of the use of those subcontractors?
FIS uses subcontractors throughout its business.
While the GDPR allows a wide degree of leeway for data controllers to use processors who sub-contract services, subcontractors are contractually required to comply with all applicable laws and regulations, including the GDPR.
FIS remains responsible to the data controller for the actions or inactions of any subcontractor.
The Data Protection Agreement (DPA) provides your general consent for FIS to subcontract.
FIS is required under the GDPR to identify those subcontractors and give you sufficient time to object to new sub-processors.
These communications will be managed through the following secure website: my.fisglobal.com. That secure website will be active by May 1, 2018, and will validate your email address if registered with FIS, or will provide you with instructions on how to register your email address with FIS to obtain information regarding subcontractors.
How do I know if my contract with FIS needs to be amended?
If your organization is subject to the GDPR, one of the requirements under the GDPR is that a compliant Data Processing Agreement/Addendum (DPA) be in place prior to the effective date.
FIS has developed a Data Privacy Addendum that will meet the requirements of the GDPR. It is available now to all customers to help them prepare for May 25, 2018, when the GDPR becomes enforceable.
GDPR applies to my organization. How do I amend my contract to include the required provisions?
You can request a DPA that includes your organization's information and is enabled for electronic signature by sending an email to email@example.com.
Do all my FIS contracts need to be amended or does the DPA cover my organization’s agreements with FIS?
The FIS DPA is designed to cover all the products and services that FIS provides to you.
We have designed the DPA to be applicable to all contracts you or your affiliates have with FIS or its affiliates so that only one DPA with FIS is required to be executed.
Can FIS determine if a client needs a GDPR-compliant DPA agreement?
Each client is responsible for their compliance program and must determine whether the GDPR applies to their business.
However, FIS suggests that if the client believes that GDPR may apply to any of the products or services provided by FIS, that a DPA be executed. Specific language can be included in the DPA to specify that the GDPR provisions are only effective to the extent that the client is subject to GDPR.
What are the penalties for non-compliance?
Organizations can be fined up to 4% of annual global turnover for breaching GDPR, or €20 Million (US$21.5 Million). This is the maximum fine that can be imposed for the most serious infringements (e.g., not having sufficient customer consent to process data or violating the core of privacy-by-design concepts).
There is a tiered approach to fines, e.g. a company can be fined 2% for not having their records in order, not notifying the supervising authority and data subject about a breach or not conducting impact assessment.
My contract already says that FIS will comply with all applicable laws and regulations. Why do I need an addendum that specifically references GDPR?
The GDPR requires specific provisions be included by contract.