The General Data Protection Regulation (GDPR) is part of the EU data protection reform package through which the European Commission aims to strengthen the rights of individuals in the digital age and simplify the rules for businesses in the EU, contributing to the creation of a Digital Single Market.
On this page you’ll find answers to commonly asked questions, relevant documentation, links to useful external resources, and contact details should you need additional information on the GDPR.
COMMON QUESTIONS AND ANSWERS ON THE GDPR
What is the GDPR?
The EU General Data Protection Regulation (GDPR), the "Regulation," will replace the current EU Data Protection Directive 95/46/EC and will be directly applicable in all EU and EEA Member States as of 25 May 2018.
The GDPR will significantly change the EU data protection regulatory landscape, setting stricter requirements, reaching more companies, and imposing potentially higher penalties. For example, companies must:
- Implement programmatic measures to ensure and actively demonstrate compliance
- Implement appropriate technical and organisational measures to protect the rights of individuals when designing a processing system and processing data
- Conduct data protection impact assessments of high risk processing activities
- Implement privacy by design and by default
- Implement data breach notification
How is the Bank preparing for the GDPR?
Bank of America Merrill Lynch is committed to the protection of personal data we collect and process, with rigorous policies, controls, and compliance oversight to ensure that data is held and used appropriately.
The Bank has established an enterprise-wide GDPR programme, with key executive sponsorship, that covers its impacted subsidiaries and affiliates. Data processing activities that involve data about individuals in the EU are under review, including applications and databases, policies, processes, and procedures to ensure that employees, partners, and vendors process personal data in compliance with GDPR requirements.
Bank of America Merrill Lynch leverages a network of country compliance officers and a global Privacy Legal and Compliance team to ensure sustainable compliance with the GDPR going forward.
How will I be affected as a client of Bank of America Merrill Lynch?
The GDPR may require updates to certain data privacy provisions of client agreements to reflect the changes required by the GDPR. If changes in documentation we have in place with you are needed, we will contact you to provide any new privacy terms or notices that are required.
Does Brexit change the position for the GDPR in the UK?
As a result of Brexit the UK will no longer be part of the European Union and will implement a legal mechanism that will largely follow the GDPR. The UK Data Protection Bill is intended to provide the equivalent legal mechanism that meets GDPR standards and reflects the UK’s commitment to high data protection standards post-Brexit. For more information, refer to the Information Commissioner’s Office website at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/.
I am a client outside the EU; will I be affected?
The GDPR’s territorial scope of application is wider and may apply to organisations that are not based in the EU but offer goods or services to individuals in the EU and/or monitor the behaviour of individuals in the EU. Bank of America Merrill Lynch is reviewing all of its processing activities involving individuals in the EU to determine if the broader territorial scope applies. If applicable, the Bank will take the necessary actions, which may include updating Terms and Conditions of business, to reflect the changes required by the GDPR.
Can I see your data privacy policies?
You can see our current policies by visiting the portal(s) you use to access our services or contacting your relationship manager. We are working through all our policies and procedures and making updates where necessary to comply with the GDPR.
Can I update my documentation now to incorporate GDPR compliant clauses?
Client documentation impacted by the GDPR is under review and is not yet completed. We are not in a position to agree to revisions to the data protection clauses with individual clients until we complete our review. As such, we will continue to negotiate with clients based on current documentation that complies with current data protection laws. As soon as we complete our review, clients will be provided with the new documentation. It is our intention to do this for all clients at the same time, and with minimal impact and action required of clients to respond.
USEFUL GDPR EXTERNAL RESOURCES
Information Commissioner’s Office:
EU General Data Protection Regulation (full text):
Reach out to your Client Relationship Manager if you have additional queries on GDPR implementation.