Data Protection Issues for Financial Services Companies
1. The risks associated with remote working
Financial service companies have a well-trodden path stretching back to evidence their compliance with strict data protection and privacy rules set by regulators. Core structures, a healthy appreciation of data risk and detailed procedures are in place to withstand intense scrutiny and monitoring. While many discuss the impact of GDPR several years on, the sector itself was poised to embrace the changes with minimal disruption given the culture already instilled. COVID-19 has resulted in the shift from regulation to necessity driving a rapid review of these polished processes and controls. Swapping the secure office environment for our homes has led to various challenges that evolve as time passes. The phased or partial return to the workplace does not mitigate against the associated risks given the capacity issues faced when following government social distancing guidance. Remote working, at least for the foreseeable future, is here to stay and is the new norm.
Overnight, financial companies had to put new data protection systems for employees in place to enable them to work from home. Whilst many did this well, it is likely that some employers did not put in proper governance around remote working and we will see the
implications from this over the coming months.
Anyone having spent time adjusting to the new norm of video conferencing will have experienced their fair share of connectivity issues. An irritation to be sure but the affect this has on staff trying to carry out tasks, particularly to a deadline, cannot be underestimated. The "culture" in place is immediately at risk as employees look for ways to get the job done. Persistent problems with a remote desktop connection may lead to employees working offline and circumventing the controls that have been painstakingly rolled out on short notice. Some may revert to legacy methods that involve large amounts of paper that "got the job done". In an industry where adherence to retention schedules and navigating data minimisation against conflicting legal obligations is already difficult, the appearance of these additional data stores represents a significant challenge. Apart from a thorough review of existing policies, frequent and tailored awareness programmes for employees are key to maintaining the culture.
Financial companies are now working hard to understand the fallout from employees working from home, including data sharing, and making local copies of data. Many are now adapting existing frameworks, looking to improve the transparency of their privacy policies, breach reporting and their ability to respond fully to individuals' rights requests under data protection law.
Every financial organisation will need to undertake Data Protection Impact Assessments (DPIA) given the scale of health, HR and financial data now being processed remotely. Also vital requirement under the legal realms of contact tracing under Covid 19.
International data transfers continue to be one of the most discussed subjects in the world of privacy and data protection as personal data can now be transferred around the globe at the touch of the button in a way that was inconceivable only a few years ago.
This presents huge opportunities for international trade but genuine concerns for privacy and protection of personal information for financial companies.
The European Data Supervisory Authorities recently ruled the EU/US transfer mechanism, Privacy Shield, as inadequate. The situation is both complex and politically charged. Many financial companies have yet to understand the implications of this recent ruling and it will be a new exercise for many EU data controllers. Where financial companies rely on Privacy Shield, they will need another lawful transfer mechanism immediately. Critically there is no grace period with each transfer requiring an assessment which takes this decision into account. The UK data regulator the ICO initially indicated that organisations could continue using Privacy Shield but that advice has been withdrawn.
Where they rely on Standard Contractual Clauses (SCC's), a risk assessment or Data Protection Impact Assessment (DPIA) will need to be completed to ensure any data recipient outside the EU/EEA complies with EU data protection requirements.
The has said that SCCs are only part of the process. Assessments are required that consider the risk of access to the personal data by the public authorities of the third country (where the data is transferred). Whether or not you can transfer personal data on the basis of SCCs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures to safeguard that data.
The UK's separation from the EU has resulted in the UK adopting the EU GDPR into UK law, essentially creating the UK GDPR. Many financial services companies are not prepared to comply with both the UK and EU General Data Protection Regulations (GDPR) from 1st January 2021. A key requirement of this change in the law will be the need for the many UK companies that process data on EU residents, but do not have a presence within the EU, to appoint a Representative within the EU.
If you are processing both EU and UK personal data review your EU lead authority. Ascertain if you need an EU/UK representative after Exit Day, and update policies and agreements to reflect the UK's third country status. There are many ways in which you can reduce your organisation's exposure to future privacy risks, but companies need to take action now to prepare for the new data, privacy and financial landscape.
For the boardrooms of financial companies, the increased scrutiny that will inevitably follow the current crisis will lay a greater emphasis on effective decision-making and risk management from now. Ensuring these processes are as dynamic as possible is key, and effective data protection will be even more important to risk management.
is the #1 trusted solution for outsourcing privacy compliance specialising with Financial Services organisations, customers can rest easy knowing they have the most powerful solution to help comply with 100s of regulations. Get started here!
Our initial GDPR audit is FREE
and being partnered with OneTrust we offer a comprehensive virtual DPO service, offering tremendous value for money available on both a monthly subscription or on a stand-alone basis.
Get in touch for an initial virtual coffee chat and start the journey towards complete compliance: email@example.com
Covid-19 has resulted in huge pressure being put on data management, decision-making and governance in UK financial companies and there are now three key
data protection issues that should be on every financial companies' agenda:
Three data and privacy issues that UK financial companies need to know now:
2. Impact of Schrems II ruling
3. The implications of Brexit and how to prepare