.svg)
The European Union's General Data Protection Regulation (GDPR) had its third anniversary on May 25. It empowers regulators to levy large fines (with a ceiling as high as €20m, or 4 percent of a company’s annual global turnover) and has added to the reputational risk that comes with non-compliance. It affects firms all over the world that hold the personal data of people who live in the EU.
To review the last three years of its life, VIXIO spoke to Alex Scheinman, managing director at ACA Aponix, about the regulation's effect on the world, the influence that coronavirus, Brexit and Schrems II have had on it and the future of data privacy. The rest of this article is in the form of a question-and-answer session.
Q: In what ways has the GDPR been a success at financial firms?
A: It depends on how we define success. It’s fair to note that financial firms have tended to adjust to it better than those in other sectors. This is partly because they are already in a regulated industry, so they tend to have more robust and mature compliance functions in place than other firms.
The implementation of new privacy programmes or the enhancement of existing ones with minimal disruption to business operations can also be classed as a success for financial firms.
Some of this success can be attributed to the high levels of privacy awareness and training that the GDPR has prompted, which has helped firms identify and address data privacy risks. This has led to more controls around client/investor data (e.g., access and encryption) and more transparency about how firms are protecting the data they collect and store (e.g., privacy notices). From this perspective, the GDPR has helped financial firms to come more into line with the evolving expectations of clients and the public.
Q: Are there any areas in which the GDPR has not been so successful in the financial sector?
A: I’m not aware of any struggles that are specific to financial firms; the struggles tend to happen in all industries. That said, one area where GDPR might not be as successful as I once hoped is in getting boards and senior executives at financial firms to appreciate its requirements fully. Many firms retain a pre-GDPR mindset of privacy compliance as paper compliance, i.e. compliance that is limited to policies, procedures and contracts. The GDPR requires operational compliance. In fact, firms must be able to show regulators that they are meeting their obligations. We still have a way to go to get the majority of financial services firms to adopt this mindset.
Another point is that in 2018 the US Securities and Exchange Commission (SEC) froze applications for registration from firms based in the European Union because it thought that the GDPR prevented registered investment advisors (RIAs) from showing its examiners certain books and records. This two-year-long moratorium has now been lifted for UK firms that apply to the SEC.
Q: Have we seen any heavy fines or sanctions in the financial sector? Is there any consistency between the fines in terms of common themes or failures at firms?
A: Regulators have issued 661 fines to date, at a total of €292m. The biggest fines have been levied on Google and H&M (€50m in France and €35.3m in Germany, respectively). We’ve not yet seen fines as high as 4 percent of any firm’s global revenue.
The Spanish Data Protection Agency (DPA) has been the most active in terms of the number of fines it has imposed, while Italy has fined firms the most money.
The Spanish DPA levied the two biggest financial service fines in the last six months. The first was against BBVA (Banco Bilbao Vizcaya Argentaria) in December 2020 for €5m. The bank conducted direct marketing on the short messaging service (SMS) without obtaining people's lawful consent and for failing to include the necessary information in its privacy notice.
The second significant enforcement action was against CaixaBank, which had to pay the industry's biggest fine of €6m in January this year. CaixaBank failed to establish a proper legal basis for processing consumer data and for failing to have the appropriate information in its privacy notices. It is clear that the Spanish DPA is paying close attention to the financial sector.
Financial service firms must, therefore, monitor the activities of data protection agencies in the EU member states in which they conduct business.
In general, we are seeing fines for a variety of issues: failure to establish appropriate legal bases for processing personal data, transparency, inadequate security measures, failure to comply with data subjects' requests and failure to comply with data processing principles.
Q: What has been the biggest consequence of the regulation?
A: Its part in shaping data privacy regulation around the globe. Recently-enacted state privacy laws in the US (e.g., in California and Virginia) borrow heavily from it, as do many bills that are being considered at both state and federal level. It has influenced recent privacy regulations in the Caymans and Brazil and a number of proposals for such regulations in China, India and Canada. Indeed, it has influenced most of the recent laws and draft laws.
Q: What is the biggest headache that the GDPR has caused at financial firms?
A: Firms have struggled with data discovery, especially with personal data inventories and mapping. They have to know what data they possess, the purposes for which they have that data, who they are sharing the data with (internal and external parties), for how long they are retaining it and the controls in place to make it secure. The effort to do this can easily overwhelm them.
A particular pain point that relates to data discovery is the problem of unstructured data. Firms store voluminous amounts of it, including sensitive personal information, in their systems on email, shared drives, etc. These repositories can make it difficult for the firms to meet various privacy obligations such as records management and individual rights.
Financial service firms tend to be challenged by the storage limitation principle. For example, compliance functions at SEC-regulated firms have tended to embrace a culture of data retention. The logic has been that we never know when we may need information and therefore we should not purge any data. This culture comes into conflict with privacy regulations like the GDPR that require firms to dispose of personal data securely when there is no longer a legitimate business reason or a legal reason to retain it. Financial firms have been slow to change their ways and it remains a significant area of risk.
The GDPR is a complex regulation. Firms are still struggling to understand their specific obligations. For example, questions remain around when or if a data protection impact assessment is required, the circumstances in which the firm can deny a request for access or deletion, the specific security controls that it needs to implement and monitor to meet its "reasonable" security obligations and questions about international data transfers in the wake of the Court of Justice of the European Union's (CJEU) Schrems II decision in Summer 2020.
Q: What effect has Brexit, the UK's exit from the EU, had on adherence to the GDPR?
A: Brexit may slightly complicate the international transfer landscape but recent opinions from the European Commission and the European Data Protection Board (EDPB) to grant the UK "adequacy" will mean that EU/EEA data should be able to continue to flow freely to the UK.
Both the UK and the EU may revisit this relationship and things could change, but for now I think that the Schrems II decision may cause more trouble for international flows than Brexit.
Q: Has coronavirus had an effect on adherence to the GDPR in any way?
A: Symptom tracking/monitoring software has embraced privacy-by-design (PbD). Firms that embraced digital transformation — whether out of a desire to comply with the GDPR or not — tended to be able to handle the COVID-19 crisis better than firms that did not.
Q: What’s next on the horizon for privacy?
A: There are a few things bubbling away.
- The EU will continue to promote data protection around the globe and the GDPR will continue to influence new privacy legislation.
- ePrivacy Regulation is nearing adoption. The European Council, the European Commission and the European Parliament have now begun a trilogue. They want the ePrivacy Regulation to replace the ePrivacy Directive and protect the personal data in electronic communications.
- EU AI regulation — the proposed regulation to promote trust and excellence in the design and use of artificial intelligence — may have an impact on investment firms that are using AI as part of their research and analytics functions.
- China is on the cusp of enacting privacy legislation and information security legislation that will create a data protection regime that will be as robust as the GDPR. This will definitely have an impact on private equity firms that want to invest in companies that are based in or operating in China.
Q: Do you think that the EU might change the GDPR in the next year?
A: Over the course of 2020 and 2021, the EDPB published a considerable amount of GDPR-related guidance. It issued advice on the use of social media [advert] targeting, data breach notifications, data protection by design [the embedding of software and other things that make data more private directly into the design of projects in their early stages] and international data transfers.
Firms will continue to need guidance to obey the GDPR, but its "consistency mechanism", which is supposed to compel regulators in all member states to enforce it uniformly, is still proving to be a challenge.
