Think that the European Union's data rules don't go outside of the bloc? Think again. The impact is global, affecting North American firms doing business in Europe.

Sweeping European Union rules about how to use client data – General Data Protection Regulation – takes effect from today and as far as the wealth industry goes, the impact spreads far beyond the current 28 members of the EU.

The UK, which in June 2016 voted to leave the bloc (it has not yet actually left), must comply with this legislation and any jurisdiction coming into contact with the EU will be affected by it in some way, rather as how the extra-territorial powers of the US Department of Justice bite when dollar transactions are concerned. Fines for non-adherence to the GDPR’s rule changes will amount to a €20 million ($24.8 million) or 4 per cent of annual turnover, and any business, anywhere in the world that deals with EU citizens’ data could be hit.

The point is particularly important at a time when there is some divergence between regulators’ attitude towards data use in the EU and North America. At present, for example, there is no equivalent of the GDPR in the US, which means that EU citizens using social media platforms such as Facebook have more privacy controls – in theory – than US-based counterparts.

The legislation has grabbed US firms’ attention. A PwC study last year found that GDPR compliance is a top data protection priority for 92 per cent of US organizations (source: information-age.com, Feb 7, 2017). 

Financial consultancy Laven Partners warns that multinational firms with a presence in a EU country such as the UK (a situation applying to large foreign banks such as Singapore’s DBS or US-headquartered Citigroup) will be affected. 

“One of the popular questions asked by companies, and one companies are struggling to find a clear answer to, is `Can the ICO enforce fines on breaches occurring outside of the EU?’ Many foreign companies wonder if the ICO even has the right to impose fines outside of its jurisdiction,” Laven Partners said. (“ICO” refers to the UK’s Information Commissioner’s Office, the organization with enforcement powers in the UK.)

“For companies that have a physical presence (i.e. an establishment) in the EU, the GDPR can be enforced directly upon them by EU member state authorities. The GDPR requires the appointment of representatives of controllers or processors not established in the EU, as the appointment of a representative is one of the ways the ICO will ensure that companies dealing with data within the EU comply with GDPR requirements,” Laven explained.

To demonstrate how such rules bite, Laven noted that US-headquartered Merrill Lynch, with a UK branch, was fined £45 million ($60.4 million) by the Financial Conduct Authority for failure to report a two years’ worth of exchange traded derivatives transaction, making the bank liable for penalty under the European Markets Infrastructure Regulation.

“As with any new regulation, there will be a degree of uncertainty around the imposition of fines and other corrective measures when the GDPR comes into force. The above examples leave no doubt that the EU can and will ensure enforcement of the new regulation on multinational companies,” Laven said.

The GDPR applies to the processing of personal data of data subjects who reside in the European Union. This covers controllers or processors who are not established in the EU, where the processing activities are related to: (a) The offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EU; or (b) The monitoring of their behavior as far as their behavior takes place within the EU.

“This is to say that businesses that collect EU data, directly or indirectly, are subject to the GDPR. Enforcement will not be limited to companies like Google or Facebook,” Laven said. 

The firm noted that Germany, for example, started an investigation into 500 companies with operations in Germany in preparation to the launch of the GDPR. These ranged from micro-sized businesses to large businesses. That probe continues.

More positively, perhaps, the GDPR will put customers and employees (who reside in the EU) in control of their personal data, empowering them to choose how businesses and their third parties use their information. Where personal data is not treated correctly, individuals will have increased rights and can, in some instances, claim compensation.