GDPR: Expectations vs. Realities on the Regime’s Third Anniversary

Author

Alex Schienman

Publish Date

May 25, 2021

Type

Compliance Alert

Topics

Compliance
Cybersecurity

Insights
GDPR: Expectations vs. Realities on the Regime’s Third Anniversary

A Q&A with Alex Schienman, ACA Aponix

The General Data Protection Regulation (GDPR) reached its third-year anniversary on 25 May 2021. Designed to alter data privacy management and operational best practices around the globe, the regime famously introduced the prospect of eye watering fines (as high as €20 million, or 4% of a company’s annual global turnover) as well as reputational risk for non-compliance.

And as this impacted firms regardless of where they are located (if they hold the personal data of EU residents), this regulation caught the attention of firms globally.

Three years after implementation, we speak with Alex Scheinman, Managing Director, ACA Aponix, about the impact of the regulation, how the COVID-19 global pandemic, Brexit and Schrems II influence the regime, and where data privacy rules will head next.

Q: In what ways has GDPR been a success for financial services firms?

A: This depends on how we define success. It’s fair to note that financial services firms have tended to fare better than other sectors when it comes to implementing GDPR aligned privacy programs. There are several reasons that account for this, including the fact that the financial services world is already established as a regulated industry. This means firms tend to have comparatively more robust and mature compliance functions in place than many other sectors and as a result were better positioned to address the voluminous requirements of the GDPR.

The implementation of new privacy programs or enhancement of existing privacy programs with minimal disruption to business operations can also be classed as a success for financial services firms.

Some of this success can be attributed to the high levels of privacy awareness and training in the wake of the GDPR, which helped firms identify and address data privacy risks. This led to more controls around client/investor data (e,g., access, encryption) and more transparency about how firms are protecting the data they collect and store (e.g., privacy notices). From this perspective, GDPR has helped financial services firms elevate their data privacy and information security functions to be more in line with evolving client and public expectations.

Q: Have there been any areas where GDPR hasn’t been so successful for financial services firms?

A: I’m not aware of any struggles that are specific to the financial services firms - the struggles tend to be across all industries. That said, one area where GDPR might not be as successful as hoped is getting Boards and Senior Execs of financial services firms to fully appreciate the requirements of the GDPR. In particular, it remains a concern that many firms retain a pre-GDPR mindset of privacy compliance as paper compliance – i.e., policies, procedures, and contracts. The GDPR requires operational compliance. In fact, firms must be able to demonstrate that they are meeting their obligations. We still have a way to go to get the majority of financial services firms to adopt this mindset.

Another impact was that in 2018, the U.S. Securities and Exchange Commission (SEC) froze applications from European Union-based firms, due to concerns that the General Data Protection Regulation (GDPR) prevented registered investment advisers from providing certain books and records to the SEC for inspection. This two-year long moratorium has now been lifted for UK firms applying for SEC registration.

Q: Have we seen any heavy fines or sanctions being assigned to firms in the financial services space? Is there a consistency in where fines are being allocated (eg. a common theme/failing)?

A: There have been 661 fines issued to date, for a total of 292 million euros. So far, the biggest fines have been issued to Google and H&M (50 and 35 million, respectively). We’ve not yet seem fines as high as 4% of a firm’s global revenue.

The Spanish Data Protection Agency (DPA) has been the most active regulator in terms of number of fines, while Italy has issued the highest total in fines to date.

The two biggest financial services fines were both issued by the Spanish DPA in the last six months. The first enforcement action was against BBVA (Banco Bilbao Vizcaya Argentaria) in December 2020 for 5 million Euros. BBVA was fined for conducting direct marketing via SMS without getting lawful consent and also for failing to include the necessary information in its privacy notice.

The second significant enforcement action was against Caixabank, which received the industries biggest fine of 6 million Euros in January of 2021. The fine was levied due to the banks failure to establish a proper legal basis for processing consumer data and for failing to have the appropriate information in their privacy notices. It’s clear is that the Spanish DPA is paying close attention to the financial services sector.

It’s therefore key that financial services firms monitor data protection agency activity in the EU member states that they are conducting business and they should take steps to verify that they are meeting their compliance obligations to avoid scrutiny from the regulators.

In general, we are seeing fines for a variety of issues: Failure to establish appropriate legal basis, transparency, inadequate security measures, failure to comply with data subject rights requests, failure to comply with data processing principles.

Q: What has been the biggest impact of the new regulation?

A: It really depends on the industry, but in general the GDPR has had a significant influence in shaping data privacy regulation around the globe. For example, recently enacted state privacy laws in the US (e.g., California, Virginia) borrow heavily from the GDPR framework, as do many of the draft regulations that are being considered at both the state and federal levels. Moreover, the GDPR framework has influenced recently enacted privacy regulations in the Caymans and Brazil and has also influenced a number of proposed privacy regulations in China, India, and Canada. Indeed, most of the recent enacted privacy regulation, as well as draft regulations, have been influenced by the EU’s data protection framework.

Q: What about this regulation has caused the biggest headache for firms?

A: Firms have struggled with data discovery, such as personal data inventory and mapping. Understanding what data a firm has in its possession, the purposes for having that data, who the data is shared with (internal and external parties), how long the data is retained, and the security controls in place to protect the data requires a significant effort that can easily overwhelm financial services firms and firms from any industry.

A particular pain point related to data discovery is the problem of unstructured data. Firms store voluminous amounts of unstructured data, including sensitive personal information, in its systems (e.g., email, shared drives). These repositories can pose a significant challenge to firms by making it difficult to meet various privacy obligations such as records management and individual rights.

Financial services firms tend to be challenged by the storage limitation principle. For example, the Compliance function in SEC regulated firms has tended to embrace a culture of data retention. The logic has been that we never know when we may need information, and therefore we don’t purge any data. This culture comes into conflict with privacy regulations like the GDPR that require firms to securely dispose of personal data when there’s no longer a legitimate business or legal reason to retain the data. Financial services firms have been slow to embrace this change and it remains a significant area of risk for this and other industries.

GDPR is a complex regulation. Firms still struggle to understand what their specific obligations are under the regulation. For example, questions remain around when or if a data protection impact assessment is required, the circumstances when the firm can deny a request to access or deletion, the specific security controls that need be implemented and monitored to meet the ‘reasonable’ security obligations and questions about international data transfers in the wake of the Count of Justice of the European Union (CJEU)’s Schrems II decision in the summer of 2020.

Q: What is the impact of Brexit on GDPR? It was initially set to facilitate international data flows, has the ongoing Brexit deal uncertainty impacted this?

A: Brexit may slightly complicate the international transfer landscape but recent opinions from the EU Commission and the European Data Protection Board (EDPB) to grant UK adequacy will mean that EU/EEA data should be able to continue to flow freely to the UK.

Both the UK and EU may revisit this relationship and things could change but for now we don’t see it as a big of a headache as one might have anticipated.

It could be argued that the Schrems II decision may be more of a headache around international flows than Brexit.

Q: Did Covid-19 have an impact on GDPR in any way? According to this piece, it’s principles-based rules supported the development of tools to combat and monitor the spread of the virus.

A: Yes, the principles that underpin the GDPR are well positioned to help ensure that companies keep their staff safe without running afoul of GDPR requirements. Symptom tracking/monitoring tools embraced privacy by design (PbD).

Firms that embraced digital transformation – whether influenced by GDPR compliance or not – tended to be able to handle the Covid crisis better than firms that did not.

Q: What’s next on the horizon for GDPR and other privacy rulings?

A: There are a few things bubbling away:

The EU will continue to promote data protection around the globe and GDPR will continue to influence new privacy legislation.
ePrivacy Regulation is nearing adoption. The EU Council, the EU Commission, and the EU Parliament have now begun a trilogue. The ePrivacy Regulation would replace the ePrivacy Directive and establish data protection requirements around electronic communications.
EU AI regulation – the proposed regulation to promote trust and excellence in the design and use of AI may have an impact on investment firms that are using AI as part of their research and analytics functions.
China is on the cusp of enacting privacy and information security legislation that will create a data protection regime that will be as robust as the GDPR. This will definitely have an impact on PE firms that are looking to invest in companies that are based or have operations in China.

Last year experts were calling for more changes needed, have we seen much progress since? Could 3 (years) be a ‘magic number’ in terms of achieving significant change?

Over the course of 2020 and 2021, the EDPB published a considerable amount of guidance on how firms should be complying with their GDPR obligations. For example, in the last year the EDPB issued advice on the use of social media targeting, data breach notifications, data protection by design, and international data transfers. Firms will continue to need guidance to effectively address their privacy obligations, but one area that certainly continues to pose a significant challenge is the implementation of the GDPR’s consistency mechanism, which was designed to ensure that the GDPR was uniformly enforced across the EU’s member states. Unfortunately, we still see significant discrepancies in enforcement from one member state to another and should expect to see more efforts in the coming year to harmonize the data protection requirements and enforcement strategies across the member states.

How we help

Contact us to learn more about our award-winning solutions designed to help firms uncover risks and identify deficiencies in their cybersecurity policies, procedures, and controls.

Our ACA Aponix team provide cybersecurity and technology risk programs (including GDPR), data privacy compliance, vendor and M&A diligence services, network testing, and advisory services for companies of all sizes.

Or for firms wishing to take advantage of the SEC registration moratorium lift, we have a dedicated London-based team, offering SEC regulatory consulting for firms located outside of the U.S.

And we have a wide range of Brexit solutions designed to help global firms find solutions to overcome their Brexit challenges and continue to access the UK markets.

These include: