Data protection issues for financial service companies

By Rob Masson

Covid-19 has resulted in huge pressure being put on data management, decision-making and governance in UK financial companies and there are now three key data protection issues that should be on every financial companies’ agenda: 

Three data and privacy issues that UK financial companies need to know now: 

1.  The risks associated with remote working 

Financial service companies have a well-trodden path stretching back to evidence their compliance with strict data protection and privacy rules set by regulators. Core structures, a healthy appreciation of data risk and detailed procedures are in place to withstand intense scrutiny and monitoring. While many discuss the impact of GDPR several years on, the sector itself was poised to embrace the changes with minimal disruption given the culture already instilled. COVID-19 has resulted in the shift from regulation to necessity driving a rapid review of these polished processes and controls. Swapping the secure office environment for our homes has led to various challenges that evolve as time passes.  The phased or partial return to the workplace does not mitigate against the associated risks given the capacity issues faced when following government social distancing guidance. Remote working, at least for the foreseeable future, is here to stay.

Overnight, financial companies had to put new data protection systems for employees in place to enable them to work from home.  Whilst many did this well, it is likely that some employers did not put in proper governance around remote working and we will see the implications from this over the coming months.  

Anyone having spent time adjusting to the new norm of video conferencing will have experienced their fair share of connectivity issues. An irritation to be sure but the affect this has on staff trying to carry out tasks, particularly to a deadline, cannot be underestimated. The “culture” in place is immediately at risk as employees look for ways to get the job done. Persistent problems with a remote desktop connection may lead to employees working offline and circumventing the controls that have been painstakingly rolled out on short notice. Some may revert to legacy methods that involve large amounts of paper that “got the job done”. In an industry where adherence to retention schedules and navigating data minimisation against conflicting legal obligations is already difficult, the appearance of these additional data stores represents a significant challenge. Apart from a thorough review of existing policies, frequent and tailored awareness programmes for employees are key to maintaining the culture.

Financial companies are now working hard to understand the fallout from employees working from home, including data sharing and making local copies of data.  Many are now adapting existing frameworks, looking to improve the transparency of their privacy policies, breach reporting and their ability to respond fully to individuals’ rights requests under data protection law. 

Every financial organisation will need to undertake Data Protection Impact Assessments (DPIA) given the scale of health, HR and financial data now being processed remotely. 

2. Impact of Schrems II CJEU ruling

International data transfers continue to be one of the most discussed subjects in the world of privacy and data protection as personal data can now be transferred around the globe at the touch of the button in a way that was inconceivable only a few years ago.  

This presents huge opportunities for international trade but genuine concerns for privacy and protection of personal information for financial companies.

The CJEU recently ruled the EU/US transfer mechanism, Privacy Shield, as inadequate. The situation is both complex and politically charged. Many financial companies have yet to understand the implications of this recent ruling and it will be a new exercise for many EU data controllers. Where financial companies rely on Privacy Shield, they will need another lawful transfer mechanism immediately. Critically there is no grace period with each transfer requiring an assessment which takes this decision into account. The ICO initially indicated that organisations could continue using Privacy Shield but that advice has been withdrawn.

Where they rely on Standard Contractual Clauses, a risk assessment or DPIA will need to be completed to ensure any data recipient outside the EU/EEA complies with EU data protection requirements.  

The CJEU has said that SCCs are only part of the process. Assessments are required that consider the risk of access to the personal data by the public authorities of the third country (where the data is transferred). Whether or not you can transfer personal data on the basis of SCCs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place.

3. The implications of Brexit and how to prepare

The UK’s separation from the EU has resulted in the UK adopting the EU GDPR into UK law, essentially creating the UK GDPR.  Many financial services companies are not prepared to comply with both the UK and EU General Data Protection Regulations (GDPR) from 1^st January 2021.  A key requirement of this change in the law will be the need for the many UK companies that process data on EU residents, but do not have a presence within the EU, to appoint a Representative within the EU. 

If you are processing both EU and UK personal data review your EU lead authority.  Ascertain if you need an EU/UK representative after Exit Day, and update policies and agreements to reflect the UK’s 3rd country status. There are many ways in which you can reduce your organisation’s exposure to future privacy risks, but companies need to take action now to prepare for the new data, privacy and financial landscape.

James Collis, Partner, Squire Patton Boggs added “For the boardrooms of financial companies, the increased scrutiny that will inevitably follow the current crisis will lay a greater emphasis on effective decision-making and risk management from now.  Ensuring these processes are as dynamic as possible is key, and effective data protection will be even more important to risk management.” 

About the Author

Rob Masson, as founder and CEO of The DPO Centre, Rob is actively driving innovation, transformation and thought leadership in data protection and privacy. With over 30 years of business experience, Rob has been involved in delivering solutions to some of the world’s largest and most respected companies.

Rob set up The DPO Centre to assist organisations of all sizes to identify how evolving Data Protection legislation will affect them, the steps they need to take to comply, and how when implemented well, compliance builds trust, confidence, loyalty and engagement.