New research makes data protection pressures clear
Wendy Spires, Head of research, London, 2 December 2020
Regulatory requirements around data protection continue to be a huge headache for businesses and, in particular, ones like wealth managers for whom processing personal information is their lifeblood. Here, we delve into this hugely important but generally neglected area of research to paint an up-to-the-minute picture of how firms are coping.
The EU’s General Data Protection Regulation came into force two-and-a-half years ago, yet wealth managers’ travails with this incredibly wide-reaching, complex piece of legislation – and those emulating it internationally - are far from over. In fact, as new research by this publication and regtech firm Apiax shows, reducing the associated costs and operational pain is starting to look very urgent indeed.
Having surveyed and interviewed data protection specialists from a wide range of private banks, wealth managers and Tier 1 banking groups operating in Europe, what first became clear is that firms’ data protection challenges mirror the fulsomeness of the regulations they contend with (EU GDPR alone comprising 99 Articles and 173 interpretive Recitals).
Although 27% reported that their biggest challenges stem from transferring data to other parties and countries, the majority (53%) are still tripping up on issues with day-to-day internal processing. The remaining 20% cited concerns as varied as infrastructure complexity, sheer volume of work, culture and documentation like the Data Protection Impact Assessments that must be carried out for high-risk processing or technology innovations.
Helicoptering experts
Unsurprisingly, given that it touches on so many business areas, data protection specialists are helicoptering to assist a panoply of departments including legal, HR and front-office. However, one stands head and shoulders above the rest in creating most work. As wealth managers further accelerate technology change to deal with the pandemic, a full 50% of respondents report that IT is their department’s biggest client.
As the battle-hardened will know, GDPR also interacts with (and often rubs against) many other laws and regulations. These include rules concerning electronic communications like the EU’s ePrivacy Directive, but also those governing employment, financial record-keeping and the sharp end of governmental imperatives like AML and surveillance. It is little wonder that the data protection laypeople within organisations need significant help with meeting their obligations. As one Data Protection Officer said, “literally everyone is knocking on my door”.
Keeping up to speed
The burden is exacerbated by the fact that data protection teams are often smaller than one might expect, even often at very large firms indeed (of which more later). But what really came through strongly is that informing colleagues is really a downstream issue.
As case law, regulatory guidance and even the interpretation of the rules themselves evolves, it is clear that staying on top of requirements is a massive challenge even for the specialists themselves. For starters, the fact that EU states can exercise a wide range of derogations means this apparently “general” regulation can be very territorially particular indeed in its application.
More challenging still is the barrage of change even at the level of primary law. The bombshell invalidation of the US Privacy Shield on 16 July was an object lesson in how fast institutions’ carefully - and expensively - eveloped processes can be upended. No grace period was granted the thousands of organisations exporting data to the US under it.
The implications for wealth managers of the Schrems II ruling also reach far beyond just transatlantic transfers. Our research found that most firms rely on Standard Contractual Clauses for both intra-group and third-party transfers, and so the EUCJ’s imposition of “supplementary measures” on SCCs and the whole suite of safeguarding mechanisms is arguably an even more dramatic move as it impacts all jurisdictions bar the 12 the EU currently deems “adequate” in data protection.
That this tiny green list includes the Faroe Islands and Andorra, but not post-Brexit Britain nor any number of other developed countries, underscores how tricky transferring data outside the European Economic Area compliantly will continue to be – particularly as adequacy decisions are also subject to sudden revision.
External expertise unavoidable?
Alongside updated SCCs, wealth managers must now grapple with the European Data Protection Board’s recently issued recommendations on the supplementary measures, which make clear how much work organisations now have to do in evaluating foreign legal regimes on an ongoing basis. And here, we might say, lies one of the greatest rubs when it comes to the costs and pains of data protection compliance.
Although wealth managers may have their own in-house counsel, almost half (46%) of those participating in this study said they have to source regulatory guidance from external law firms and a fifth turn to consultancies. That 27% said they were able to get support by phone or email suggests many are retaining such services at a cost of (we were told) multiple thousands per day. However, the majority (40%) of data protection overseers appear to be gathering what insight they can from memos and the like issued by external parties. As one respondent noted, keeping their organisation on top of all this by scouring newsletters and so on “could be a full-time job”.
Digital dissemination
In likely recognition of the enormity of their task, it can happily be said that a third of data protection specialists have updates delivered to them and disseminated across their organisations entirely digitally (such as through an app). Interestingly, while 25% have gone for the easier win of implementing an external solution, 38% have developed one internally. That they have done so at a time of already great technology change for the sector shows just how seriously they are taking the threat of fines which could amount to 4% of annual global turnover for breaching the rules.
However, the biggest indicator is, of course, rapidly expanding data protection teams. As part two of this research special will show, many wealth managers are set on significantly expanding their teams.
The European data protection study Apiax carried out with WealthBriefing follows a similar one undertaken among Asia-Pacific institutions earlier in the year. To view the full findings of both, click here.