What is the GDPR?
The EU General Data Protection Regulation (GDPR), the "Regulation," replaced the EU Data Protection Directive 95/46/EC and is applicable in all EU and EEA Member States as of 25 May 2018.
The GDPR significantly changes the EU data protection regulatory landscape, setting stricter requirements, reaching more companies, and imposing potentially higher penalties. For example, companies must:
- Implement programmatic measures to ensure and actively demonstrate compliance
- Implement appropriate technical and organisational measures to protect the rights of individuals when designing a processing system and processing data
- Conduct data protection impact assessments of high risk processing activities
- Implement privacy by design and by default
- Implement data breach notification
How is Bank of America complying with the GDPR?
The Bank is committed to the protection of personal data we collect and process, with rigorous policies, controls, and compliance oversight to ensure that data is held and used appropriately.
The Bank established an enterprise-wide GDPR programme, with key executive sponsorship, that covered its impacted subsidiaries and affiliates. Data processing activities that involve data about individuals in the EU were reviewed, including applications and databases, policies, processes, and procedures to ensure that employees, partners, and vendors process personal data in compliance with GDPR requirements.
Bank of America leverages a network of country compliance officers and a global Privacy Legal and Compliance team to ensure sustainable compliance with the GDPR going forward.
Does Brexit change the position for the GDPR in the UK?
As a result of Brexit the UK will no longer be part of the European Union and implemented a legal mechanism that largely follows the GDPR. The UK Data Protection Bill provides the equivalent legal mechanism that meets GDPR standards and reflects the UK’s commitment to high data protection standards post-Brexit. For more information, refer to the Information Commissioner’s Office website at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/.
I am a client outside the EU; am I affected?
The GDPR’s territorial scope of application is wider and may apply to organisations that are not based in the EU but offer goods or services to individuals in the EU and/or monitor the behaviour of individuals in the EU. Bank of America reviewed all of its data processing activities involving individuals in the EU to determine if the broader territorial scope applies. The Bank took the necessary actions, which included updating Terms and Conditions of business, to reflect the changes required by the GDPR.
Can I see your data privacy policies?
You can see our current policies by visiting the portal(s) you use to access our services or contacting your relationship manager. Please also see the Essential GDPR Documents section below for relevant privacy notices and other information.
Can I update my documentation now to incorporate GDPR compliant clauses?
We have been actively reviewing our client documentation in light of GDPR and engaging with clients as required. Please also see the Essential GDPR Documents section below for relevant privacy notices and other information.