At MetricStream's governance, risk and compliance conference in London yesterday, a panel of experts mapped out the likely problems and opportunities that financial firms face in respect of the European Union's latest data protection initiative.

The panel looked at the task that firms are facing of learning how to comply with the GDPR, the General Data Protection Regulation by which the European Union intends to strengthen and standardise protection for data that relates to the citizens of its countries and to regulate the export of personal data from EU countries to other countries. This international edict, which automatically appears on the statute book in each subject country of the EU, is timed to take effect on 25 May 2018. A new directive, not discussed here, waives people's data protection for police forces. The GDPR was the most requested topic at the MetricStream conference.

On the panel were Bojana Bellamy and Steve Durbin, both heads of information think-tanks; Renzo Marchini, a partner at the City law firm of Fieldfisher; Anthony Lee, a partner at DMH Stallard, the hundredth-largest law firm based in the UK; and the moderator Kabir Barday, the CEO of OneTrust, an American privacy management software firm. It is rare to find a more eminent group of experts on the subject.

New rules and old

The regulation gives EU countries discretion in some areas of data protection, such as data about children and employees, but it promises a far greater standardisation of rules than heretofore. It contains many rules from the existing directive and adds more, notably the principle of 'accountability' (which obliges firms not only to comply but also to be seen to comply) and that of 'transparency' (the idea that firms must keep the key people informed about the purpose for which their data is being collected, what is being done with it, where it is being stored and the basis upon which that happens). Not only will data controllers have statutory responsibilities as they do now, but data processors will as well.

The regulation is going to tighten up the rules that govern the consent that firms have to obtain from people when processing their data. As Anthony Lee put it: "The consent, in summary, must be informed and freely given. Having a pre-tick box to say 'I consent' buried in a set of Ts and Cs on a privacy policy is a complete no-go."

The area of breach notification is the most talked-about part of the regulation among financial firms. If there is a security breach or some other breach of the regulation, the bank or asset management firm will have 72 hours to tell the government unless it can convince itself that the individuals in question will not be harmed. It will also have to inform those people about the problem straight away so that they can take appropriate measures, perhaps changing passwords.

Broadly speaking, then, security and data exporting requirements will remain substantially the same. There will, however, be a profusion of new obligations to do with consent and breach notification.

Key GDPR changes at-a-glance

Bojana Bellamy produced a graphic table that summarised the main changes that the new regulation will bring in. It listed them as follows.

Harmonisation [i.e. EU-wide standardisation of law] and progressive aspects

• harmonised rules, but not fully (e.g. employee data, children data)
• one-stop shop: lead data protection authority for pan-European matters, in co-operation with others; local data protection authority for local matters and redress for individuals
• risk-based approach
• some reduction of administrative burden (no national registration of processing, or prior authorisation)
• BCR (binding corporate rules, to be used for lawful cross-border data transfers within the same group of companies), seals and certifications
• greater co-operation and consistency.

Broader scope

• obligations for both controller and processor
• extraterritorial application to foreign controller and processor
• wider definition of personal data and sensitive data; anonymous data and pseudonymisation
• processing of data about children under 16 to require parental consent

Increase in obligations

• data protection principles tightened (consent, transparency/notices)
• profiling rules
• privacy impact assessment
• privacy by design
• breach notification - to data protection authorities and individuals
• direct obligations and liability for processor
• accountability - privacy programme
• internal record of processing
• data protection officer

Stronger rights for individuals

• right to erasure of data
• data portability
• right not to be subject to automated profiling/right to object

Increase in enforcement, fines and liability

• regulatory fines up to 4% of annual worldwide turnover
• individual action
• class action
• criminal sanctions (in national laws)
• larger role for Europea Data Protection Board (EDPB)

[Source: www.informationpolicycentre.com]

Bojana Bellamy said that she had asked people what sort of things they had in place at present for breach notification, and 60-75% told her that they had policies and procedures that detected breaches. Only a third or a quarter had cyber insurance, paid forensic experts and did dry runs and table-top exercises, putting their companies through simulated security breaches.