INTO THE LIGHT.
Heather McKenzie assesses the impact of GDPR to date and the work that is still required to get up to speed.
It has been nine months since the European Union’s General Data Protection Regulation (GDPR) came into effect and many would say it’s too early to judge its success. However, the Facebook Cambridge Analytica scandal has reminded organisations of what is at stake in preserving and protecting personal data.
According to European Commissioner for Justice, Consumers and Gender Equality, Vera Jourová speaking at the Computers, Privacy and Data Protection conference in Brussels in January, while the GDPR had been initially criticised, it has been “finally embraced” and understood. Data breaches and mishandling scandals “remind us of what is at stake – from preserving our most intimate sphere to protecting the functioning of our democracies and ensuring the sustainability of our increasingly data-driven economy”. She added that GDPR is a “tool for businesses to try to regain the lost trust. And I do not see any offers of a better response”.
Cambridge Analytica had acquired and used personal data about Facebook users from an external researcher who had told Facebook he was collecting it for academic purposes
The compliance headache
If GDPR is now a fact of life, it is one for which compliance has involved a great deal of work at financial institutions. Aoife Harney, senior regulatory consultant at software company Fenergo, says the regulation “required a huge amount of preparatory work from organisations in scope”. The scope included non-European organisations as GDPR assigned extra-territorial obligations on many firms. These included establishment – whether an organisation was deemed to be established in the EU – or if an organisation offers goods or services or monitors the activities of data subjects within the Union.
Harney says there are “common threads” that will run through any organisation’s approach to GDPR compliance that may help when preparing for data protection and privacy requirements in other jurisdictions. “Approaches will depend on the nature, scale and complexity of the business, and the quantity and sensitivity of data they process, among other factors. But all organisations should take a ‘privacy by design and default’ approach to data protection,” she adds.
The GDPR requires organisations to put in place appropriate technical and organisational measures to implement the data protection principles and safeguard individual rights. This is privacy by design or ‘data protection by design and by default’. The UK’s Information Commissioner’s Office (ICO) states in essence, this means firms must integrate or ‘bake in’ data protection to processing activities and business practices, from the design stage right through the lifecycle.
According to the ICO, “Data protection by design is about considering data protection and privacy issues upfront in everything you do. It can help you ensure that you comply with the GDPR’s fundamental principles and requirements, and forms part of the focus on accountability.”
Steven Martin, associate director at consultancy CapCo, says previously, privacy by design was “largely only for the elite, large institutions. It was adhered to when new systems or products were being developed and built in from the start. GDPR has made it necessary for all organisations to consider privacy by design and make sure they embedded it in all their products and services.”
Among the specific techniques that have been employed, organisations are looking at how data flows across their networks in transit and at rest and are applying tighter security measures to this, including encryption, he says.
“Encryption can be an easy win for an institution. Linked to this idea is pseudonymisation – where data is protected by a separately held key. This means users can un-encrypt it and bring it back into a personal data form.”
A key difference in how GDPR is approached will be who leads the programme, says Philip Greaves, a director and GDPR lead at consultancy Protiviti. “Is it a legal and compliance task or operations/IT led? If the legal and compliance team leads it, the focus is often top-down policies, privacy notices, contracts, etc. If operations/IT, the focus will be on IT systems compliance, information security controls, etc.”
Some organisations, says Greaves, have passed responsibility for GDPR on to an information security chief, although there is much in the Regulation that is not directly related to information security. “It is important to have a balanced approach, bringing in capabilities from privacy, legal, marketing, human resources, IT, information security and customer services.”
Martin says one of the first moves regarding GDPR compliance that many firms made – particularly if they were in the public sector, or an organisation that deals with large volumes of data or sensitive data – was to decide whether or not they needed to appoint a data protection officer. This got people thinking about GDPR compliance, he adds.
In terms of data management, there were parallels between GDPR and other EU regulations such as MiFID, says Greaves. His colleague, Stuart Campbell, a director and market infrastructure lead at Protiviti, says managing data is a common feature in much of regulatory change, whether it is MiFID II or GDPR. “An issue for buyside firms to tackle is the way data is outsourced to service providers such as transfer agents. How to control the transfer of data and how to map it is very important. For those firms that use a cloud services provider, the issue is even more complex, including ensuring control over who accesses the data within the organisation and for what purpose. Risk profiles can change; hence training has to be very specific and up to date.”
Firms always knew there would be a data challenge with GDPR but also MiFID II, he adds. “Many took the view with MiFID II that they would get over the line and go back and make it more efficient later on. This is especially true for the quality of transaction reporting which is heavily dependent on the quality of data.”
Campbell says reporting was always expected to be patchy to begin, but the UK’s Financial Conduct Authority expected it to improve after time. “The FCA is also getting firmer with organisations, insisting that issues are ironed out. It’s in the regulators’ interest to ensure financial institutions have the right processes in order to deliver accurate, timely and complete information to them.”
The Data Protection Directive meant that each EU Member State had data protection requirements in place before GDPR, so many organisations in scope already had to comply with the data requirements of their respective national regulators, says Harney. “Those organisations would have already had a good foundation in place on which to build GDPR-compliant policies and controls.”
She adds that GDPR has had a “butterfly effect” around the world as national authorities and governments outside of the EU are now clamouring to ensure their data protection laws meet the high global standards set by GDPR. This allows these jurisdictions to apply for white-listed status or allows for greater ease when arranging cross-border data transfers. “There is a great deal of work under way in the US, Asia Pacific, Africa and in South America, where similar principles to GDPR are being implemented, although there will be some deviations – including controversial data localisation rules,” she says.
Martin says some countries have decided that if the GDPR is “good for the EU, then it is good for us”. Brazil, for example, is implementing a new data protection regime that will come into effect in February 2020. It is a cut-down version of GDPR, he says, and recognises the cross-border transfer of data and is aimed at protecting Brazilians’ data wherever it is. “Like many regulators, those in Brazil are recognising that they need to protect their citizens’ data in the global environment – not just within their borders,” he adds.
Thailand also recently announced a new data protection law based on GDPR and protection of their citizen’s data in cross-border processing. This is likely to be effective from mid-2020.
Jourová adds: “When we look around the world, from Asia to Latin America, we see that a growing number of countries are adopting new privacy laws that are inspired by our European law. People around the world want to see their privacy protected. Consumers want their data to be safe. In turn, businesses recognise that strong privacy protections give them a competitive advantage as confidence in their services increases.”
©Best Execution 2019