GDPR and Brexit: be prepared!

Mark Peters, Protiviti: It is incorrect to assume that, following Brexit, GDPR will no longer apply in the UK

The General Data Protection Regulation (GDPR) comes into full effect in the UK in May 2018. Even if the UK triggers Article 50 of the Treaty of Rome in March 2017, it has to give two years’ notice to leave the European Union (EU), and therefore cannot escape the new data privacy provisions.

Financial services organisations are going to have to live with GDPR for some time to come: since post-Brexit plans will still require EU citizen data to be processed for most business models, this regulation is here to stay.

Mark Peters and Ryan Rubin, managing directors, Protiviti UK, provide the lowdown on what needs to be done and how.

The new rules apply to all organisations with more than 250 employees processing EU citizen data, not just those in the financial services sector. However, the nature of financial services organisations’ business models means that these firms are more exposed to data protection issues.

Banking, insurance, asset management and other financial firms all collect and hold extensive data about their customers, including information that is shared around the broader financial services group. Often this data is required to be collected for regulatory purposes (such as anti-money laundering – AML – rules), but it is frequently used for extensive marketing and communication activities. Moreover, these organisations are increasingly subject to cyber threats.

Financial services organisations need to get to grips with the GDPR well in advance of May 2018, when the new rules formally harmonise the national data protection laws that currently apply separately in each of the EU’s 28 member states. The penalties for falling foul of the new regulation are daunting – fines of up to four per cent of a business’ global turnover for non-compliance. To put this in perspective, a recent data breach at a large bank could have led to a potential fine of almost £2 billion under the GDPR.

It is incorrect to assume that, following Brexit, GDPR will no longer apply in the UK. Although some industry commentors have drawn the conclusion that Brexit will simplify data governance, it has the potential to make things much more complex for organisations with UK operations. The timetable for GDPR compliance is likely to run ahead of the UK’s formal exit from the EU, which makes it likely that there will be a period, albeit short, when the UK will still be an EU member and GDPR will apply in full. The UK Information Commissioner’s Office (ICO) has already stated that GDPR principles will probably apply in some shape or form post-Brexit.

With the significant number of unknowns relating to the direction that might be taken in the UK and the probable impact of that uncertainty, there are several important things organisations need to consider now to position themselves to face the future with confidence. These include fundamental changes in relation to the GDPR that are unlikely to go away.

For financial services organisations, primary GDPR compliance issues will begin with consent. Organisations will need explicit permission to use their customers’ personal data for any purpose, including marketing. This consent will need to be obtained in a GDPR-compliant manner, which may require many organisations to apply for re-consent before they can use existing customer data.

Ryan Rubin, Protiviti: For financial services organisations, primary GDPR compliance issues will begin with consent

Customers will also have the “right to be forgotten” and to request that organisations delete all the personal data held on them. Moreover, customers will have the right to portability, requiring information to be transferred between organisations should they choose to move their accounts and money to another service provider. As such, organisations will need to be sure that appropriate and secure systems are in place to enable the transfer of personal data to a competitor if requested.

Organisations will need to consider their customer base broken down by existing customers and new customers. For existing customers, organisations must be able to prove they have obtained permission/authority to use their data and must know exactly where all data for a given customer is held within the systems of the organisation. This requirement will prove challenging for most organisations and, in order to comply, firms will need to have mechanisms in place in order to transfer an individual’s data to another company, if requested. Similar rules will apply for new customers. Organisations will need to explicitly set out policies and consent procedures explaining how they handle their data protection obligations.

Another potential challenge relates to requirements for data breach notification. If an organisation experiences a data breach, it will be legally required to disclose it to regulators within 72 hours of becoming aware of the breach, and possibly to make a public declaration.

The GDPR also requires a formal compliance framework and sets expectations regarding an organisation’s ability to maintain evidence of data privacy practices. Providing evidence of data protection controls and safeguards will need to be effectively built into processes, systems, new products and services from the beginning of the services being offered to customers.

If data is not carefully controlled throughout a financial services organisation, customers will be able to identify that their data is being used in a way for which they haven’t given their consent, or in violation of a withdrawn permission or request to be forgotten. Understanding the regulation alone will therefore not be enough to ensure compliance. Financial services organisations will need to ensure their organisational structures and processes keep them on the right side of the law.

There are various aspects that organisations should take into consideration in order to face the future confidently:

• Establish ownership and accountability for data privacy

The GDPR requires each organisation to establish a data protection officer who will have specific roles and responsibilties within the organisation. Key responsibilities include carrying out data privacy impact asessments and maintaining a compliance framework, which includes keeping track of evidence of compliance activities.

• Re-evaluate cross-border operations and data flows

Any transfer between the UK and the EU could be deemed an export and thus subject to restrictions and/or increased regulation. Further, contractual provisions governing data transfers around the world or with third parties are likely to have been drafted on the basis that the UK was within the EU at the time of drafting.

As a consequence, arrangements such as corporate binding rules and/or the requirements under US Privacy Shield that were fit for purpose prior to Brexit may no longer be appropriate.

Organisations should ensure they have a good understanding of the nature of cross-border transactions and data flows into and out of the UK. Whether this is for commercial purposes or for the management of its employees, firms will need to assess the possible implications and strategies available for managing the risks.

• Repatriate data

One possible consequence of restrictions on data transfers is that UK organisations hosting data in the EU may need to repatriate this data to the UK, while EU firms operating in the UK may need to repatriate data to EU data centers.

Taking an inventory of the location of data and developing well-thought-out contingency arrangements should data need to be repatriated are important tasks that organisations should be contemplating now.

• Review business change projects

All ongoing business change projects that involve a significant investment in IT should be reassessed to consider implications on data storage, transmission, etc. Given the broad definition of personal data under the GDPR, almost all projects will be affected to some extent.

As a priority, all financial services organisations should evaluate their data center strategy for these projects and decide whether it might be prudent to adopt a different strategy, potentially by moving or splitting data centers across different territories in the UK and/or the EU.

• Review contracts, third parties and offshore activities

Organisations should review contracts with customers and third parties in order to ascertain the “rights” agreed to retain and transfer personal data. Many contracts will have been written on the assumption that the UK is a member of the EU. For example, there could be contracts between two UK entities stating that no personal data can be exported outside of the UK. Organisations should consider any offshore activities and evaluation of third-party suppliers as part of the scope of any review. Moreover, with changes in responsibilities for data processors and data controllers, data privacy clauses may need to be revised to align to the GDPR implications for these roles and responsibiliites.

• Training and awareness

Identify the key decision makers who are likely to require early awareness training in order to keep abreast of the potential changes in data protection legislation in the UK. This does not have to be done immediately, but it will be important to identify the key functions and individuals who require awareness training on the potential implications of Brexit. Ensuring that key employees are adequately aware of Brexit implications is a critical component of achieving compliance.

At face value, the immediate implications of Brexit on data privacy might not appear significant. However, firms should be undertaking a reassessment of their approach to managing data privacy, as a top-down, risk-based, operational business change may still be required and need to be shaped. The UK already has a strong commitment to data protection, but post-Brexit – whichever regime is adopted – many UK companies are likely to experience a heightened burden of proof for compliance. In turn, the ability of the organisation to track and provide evidence of compliance may require even more stringent controls to be adopted.