When the General Data Protection Regulation came into force in May, it affected every company that does business within the European Union and the European Economic Area EEA. Its main purpose is the protection of each individual’s data, but their privacy and compliance obligations have put a significant burden on companies of all sizes and across all sectors.

Similar legislation exists in Turkey, although there are distinct differences. On one notable point, however, they are in harmony: just as not complying with GDPR requirements carries substantial penalties, so does any breach of Turkish provisions. Failure to comply can lead to administrative fines and criminal penalties. As a result, every company that does in Turkey already, or which plans to do so, needs to be aware of how these laws might affect their operations.

Partly in anticipation of GDPR, Turkish Data Protection Law (DPL) was enacted in 2016. Turkey’s supervisory authority, The Personal Data Protection Board (DPB), is still publishing assorted regulations and communiqués relating to it, as well as draft versions of secondary legislation. Under these changes, data controllers who deal with personal data are subject to multiple obligations. In addition, the legislation also applies to ordinary employees, making it significant for every company operating in Turkey.

The grounds for processing under DPL are similar to GDPR - saving that explicit consent is needed when processing sensitive and non-sensitive personal data.

So when comparing DPL with GDPR, what are the differences that impact businesses operating in Turkey? Although it stems from EU Directive 95/46/EC, DPL features several additions and revisions. It does, however, contain almost all of the same fair information practice principles, except that it does not allow for a “compatible purpose” interpretation and any further processing is prohibited. Where the subject gives consent that data may be compiled for a specific purpose, the controller can then use it for another purpose as long as further consent is obtained, or if further processing is needed for legitimate interests.

The grounds for processing under DPL are similar to GDPR - saving that explicit consent is needed when processing sensitive and non-sensitive personal data. Inevitably, this is much more time-consuming. Such a burdensome obligation would initially make it seem that DPL provides a higher level of data protection compared to GDPR, but DPL’s definition of explicit consent also has to be compared to GDPR’s regular consent. ‘Freely given, specific and informed consent ‘ is common to both, while GDPR further requires ‘unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’.

While DPL consent might appear to be less onerous than GDPR, no DPB enforcement action has yet occurred: interpretation of explicit consent therefore remains uncertain. Under DPL, the processing grounds for sensitive personal data are notably more limited than under GDPR – with the exception of explicit consent, the majority of sensitive personal data can be processed, but only if it is currently permitted under Turkish law. The sole exception is data relating to public health matters.

Controllers have to maintain internal records under GDPR, whereas DPL does not make any general requirement to register with the data protection authorities.

Equally burdensome under DPL is the cross-border transfer of personal data to a third country. As determined by the DPB, the country of destination must have sufficient protection – either that, or parties must commit to provide it. DPL also states that: “In cases where interests of Turkey or the data subject will be seriously harmed, personal data shall only be transferred abroad upon the approval of the Board by obtaining the opinion of relevant public institutions and organisations”. Under this provision, data controllers must decide whether a transfer could cause serious harm, and if it does, they need to obtain DPL approval. However, it is unclear how these interests might be determined.

Controllers have to maintain internal records under GDPR, whereas DPL does not make any general requirement to register with the data protection authorities. Instead it has a hybrid solution: registration and record-keeping requirements. DPL specifies a registration mechanism: data controllers have to register with a dedicated registry. Under a draft DPB regulation, before completing their registration they are required to hand over their Personal Data Processing Inventory and Personal Data Retention and Destruction Policy to the DPB.

For businesses which have to comply with DPL, GDPR, or both, it would be prudent to ensure that they are not duplicating their efforts. The best way to achieve this is by aiming for a flexible compliance model that successfully meets the obligations of the regulatory authorities across multiple jurisdictions.

Website: www.kilinclaw.com.tr/en/

The civil rights group wants to highlight the way in which these businesses handle data and asserts that they do not currently comply with the Data Protection Principles of transparency, fairness, lawfulness, purpose limitation, data minimisation, and accuracy.

Tip of the iceberg

Privacy International’s criticisms are based on 50 subject access requests but admits that this investigation has “only been able to scratch the surface” of potential data exploitation practices. In fact, in October the Portuguese data watchdog issued a €400,000 fine to a Portuguese hospital for two GDPR violations, highlighting just how painful fines for non-compliance can be.

With the sheer volume of data financial services companies host, there is clearly scope for major issues if it isn’t managed efficiently. So why are many struggling with GDPR six months on?

Cracking the complexities

The regulations pose so many challenges - industry goliaths can receive hundreds of subject access requests every day, presenting a huge administrative headache. At the other end of the spectrum, SMEs in the financial services sector may struggle to have even the most basic of systems in place to stay on top of data management.

There is also the complexity of understanding exactly what the law requires – what data can and can’t be stored and what the “right to be forgotten” means. Consider for a moment the back-up systems that most businesses have in place – by definition they are designed to not forget things. Does forgetting mean removing references even in long-lost archives? How do companies even begin to know where every piece of data they store on someone is hosted?

Automate, don’t complicate

Despite the endless advice issued in the lead up to GDPR, many businesses still don’t have the necessary tools in place. Companies need robust processes and systems in place to tackle incoming queries and ensure timely follow-up and resolution. Response is not just a matter of customer satisfaction. It’s now the law.

Fortunately, technology can play a big part in easing the GDPR burden. Some of the time-consuming administration surrounding GDPR can easily be handled by having an automated system to capture data requests thus freeing up the human workforce to focus on more added-value tasks. An automated system can help companies retrieve information requested by customers, especially if they hold multiple forms of data on them.

Ironically, given that many worried GDPR would be the bottleneck to its widespread adoption, AI will prove central to automating subject access requests. Embracing technology that continues to grow increasingly knowledgeable in the intricacies of GDPR and algorithms will automatically see necessary data deleted when customers request to be forgotten.

This removes the burden of compliance from financial professionals, who may legitimately spend hours trawling systems for any reference to one client, when AI can manage this in a matter of seconds. Professionals can utilise this time saving by adding value to clients instead – strengthening relationships and increasing the chances of them being brand advocates, rather than requesting to be forgotten.

No financial services company wants to see its name in the headlines for falling foul of GDPR requirements – both the financial penalties and reputational damage will prove difficult to bounce back from. Clients will inevitably move to competitors if they are suspicious that data processes aren’t up to speed. It’s therefore imperative that all businesses automate their GDPR processes, rather than struggling in silence and risking severe damage to their company in the process.

Effectiveness So Far

The run up to the implementation date of the EU General Data Protection Regulation on 25 May 2018 saw a flurry of activity – most visibly in communications with customers; notifying them of changes in privacy policies and seeking their opt-in consent for marketing activities. While many communications were not strictly necessary, they reflected the focus of many businesses on external-facing compliance initiatives, such as their public facing privacy policies and contractual arrangements with vendors.

The key practical challenges for businesses have centered on thoroughly operationalising GDPR and creating a GDPR compliance culture. The GDPR introduces some new and enhanced rights, such as the right to erasure, but equally importantly, it introduces principles which require changes to internal procedures and systems. Technology changes have often been time-consuming and expensive to implement. Creating a GDPR compliance culture has, for many businesses, been equally challenging. For many organisations, the area of focus in the short to medium term is the work required on internal-facing compliance initiatives, such as staff training and policy formulation and integration. While many aspects of GDPR compliance have taken the form of a ‘re-papering’ exercise, the challenges in becoming compliant are generally much deeper.

For many organisations, the area of focus in the short to medium term is the work required on internal-facing compliance initiatives, such as staff training and policy formulation and integration.

Practical challenges faced by businesses

Some of the practical challenges faced by businesses have been in identifying and understanding the scope of the personal data held and processed – including its nature, location, security requirements and, most fundamentally, the business drivers and legal grounds for collecting and processing such data in the first place. While principles of data minimisation and purpose limitation are not new under the GDPR, they were frequently overlooked under previous legislation as businesses collected increasing amounts of personal data and used them in ways in which were not necessarily consistent with the original purpose. Many businesses have not properly addressed these fundamental issues which are frequently coming to light in practice in two key areas: managing data subject rights and responding to data breaches.

For example, the right to erasure applies in a specific set of situations but many organisations do not possess the level of granular detail about their processing operations required to respond accurately or efficiently. Organisations which have made superficial policy changes will lack the deeper understanding of the internal business processes resulting from a detailed data mapping exercise or a thorough analysis of an organisation’s grounds for processing. This often makes responding to such requests much more time-consuming, and in certain cases leads to organisations fulfilling requests by default to save administrative burden. This is far from ideal, particularly where some data categories processed about an individual are likely to be outside the scope of the right to erasure. Moreover, there may be legitimate business reasons for retaining such data. A related practical issue is the lack of uniformity across European jurisdictions on exemptions to and derogations from the rights of individuals to have access to their personal data, and the lack of guidance from regulators on the scope of some of the exemptions.

Organisations which have made superficial policy changes will lack the deeper understanding of the internal business processes resulting from a detailed data mapping exercise or a thorough analysis of an organisation’s grounds for processing.

Another area where the lack of internal awareness becomes apparent is in respect of data breaches. The GDPR defines a data breach extremely broadly. Media attention is often focused on large-scale breaches involving millions of records containing financial and sensitive personal data. However, practically any unauthorised access to personal data (including within an organisation) can amount to a notifiable breach. This reflects the volume of data breaches which regulators are handling – with some European regulators handling between six and twelve breach notifications each day. The GDPR imposes a well-publicised default period of 72 hours during which the appropriate regulatory authority must be notified. This frequently exposes, in real time, knowledge gaps within an organisation relating to the nature and location of the personal data held, security arrangements and internal processes.

Overall impact on businesses

The GDPR is a reflection of the increased importance placed by EU law on personal privacy as a fundamental right, which needs to be taken into account when treating personal data as an essential input in business processes, if not a commodity in itself. That is simply an unavoidable cost of doing business. While increased awareness of such rights has been positive, the notification fatigue suffered by individuals has been less beneficial. This resulted partly from the lack of concrete guidance from regulators sufficiently early in the run up to the implementation date. Similarly for businesses outside the EU, the uncertainties regarding the GDPR’s extra-territorial scope has often resulted in protracted discussions and unnecessary compliance burdens. That said, there is an almost inevitable harmonisation upwards towards EU privacy standards. For example, Japan has harmonised its laws to EU standards, and there are forthcoming changes in the United States – currently the state of California, but potentially at a federal level – to move towards GDPR standards. The key test of the GDPR’s effectiveness and overall credibility will be in enforcement. Six months in, it is still too early to gauge regulatory appetite for the headline fines of up to 4% of global revenue. In the coming months, the results of investigations and enforcement actions will start becoming clear. The internal costs to businesses are more difficult to assess, although they are largely unavoidable.

Website: https://www.faegrebd.com/

To hear about the future of the finance function and the need for bringing a data scientist into the finance environment, Finance Monthly speaks with Angela Mazza Teufer, Senior Vice President of ERPM at Oracle.

We are living in the age of data, one in which both traditional quantifiable information and unstructured data is being hoarded in huge amounts. It takes a specific set of skills to draw useful business insight out of this data, and that is why data scientists have become so crucial to the modern business.

The introduction of GDPR regulation earlier this year has forced companies to become more data literate, and has in some cases seen them appoint Chief Data Officers (CDOs) or build teams responsible for overseeing data governance.  This represents an important step towards a future where all businesses are able to make the most of their data, but it takes more than data management to turn data into value. This is where data scientists become crucial, and particularly in select business functions.

As a function that has always dealt in data and whose remit has expanded significantly in recent years, the finance team has a great deal to gain by bringing advanced data expertise into the fold.  Finance teams have traditionally been made up of people with a specific set of practical skills, including management accounting, auditing and forecasting.  While these remain important, businesses increasingly expect their finance department to play a more active role in driving organisational strategy, which requires a more diverse set of abilities. Data science is the most important of these.

What data science brings to the table

One of the biggest challenges faced by businesses is how to make sense of the enormous volume of data they collect, from customers, internally, and increasingly from third parties. Finance teams could easily spend all of their time just gathering and analysing data on business assets and performance, but the challenge today is to distil this information into something meaningful, especially as even financial reports are increasingly filled with ‘intangible’ assets that are not so clearly defined as revenue and profit, such as customer reach.

Having a data scientist embedded into the finance function will provide the specialist understanding and valuable resource to combine information in all forms, identify patterns that might otherwise have gone unnoticed, and most importantly draw out actions for the CFO or finance director to take to the board.

This also frees up other members of the team to focus on their areas of expertise rather than expecting them to pick up a whole new set of skills and take on a role they never signed up for. No matter the department, trying to ‘upskill’ an employee in data science underplays the importance of the role and makes light of the years of training and experience that specialist data scientists undertake.

Often, some of the most valuable information companies collect today starts life as an unstructured, chaotic set of data points. It ranges from concrete demographic data on their customers to news events and sometimes even weather patterns. The task of combining all of these streams of information and making sense of them requires the full-time attention of a dedicated specialist. It is certainly not something that core finance employees can accommodate on top of their existing responsibilities, nor can it be effectively undertaken without the appropriate training.

In short, it is much more effective to bring a data scientist into the finance environment and educate them on its specific needs, data types and ways of working, than it would be to pile complex data science responsibilities onto existing team members.

The future of the finance function

The changes to the role of the CFO and the growing demand on the finance function to be more forward looking and predictive have been well documented, but many organisations still find themselves in a period of transition. They understand what’s expected from them but are still setting up their teams and processes to deliver on this expanded brief.

It is enough of a challenge to forecast accurately in periods of uncertainty, without having to collect, analyse and process data from beyond the balance sheet as well, but it can be overcome with expert support.  By bringing the right mix of skills into the finance team, companies can develop the skills they need quickly and start reaping the benefits today.

A new breed of ‘challenger banks’ has risen up around traditional institutions in the last few years. This catch-all phrase doesn’t capture the breadth of different offerings that have emerged, from mobile only banks such as Atom and Starling, to digital contenders looking to capture even more of the value chain by exploring links between online banking and social networks – Fidor is a great example. With a digital-first mentality, the competitive ace that these technology businesses have to play is their agility. Unencumbered by legacy systems, they are quick to add innovative new products and services, often encouraging open collaboration with customers – as Monzo has done – to develop the product and offering.

These FinTech companies are incredibly nimble, though hanging on to this advantage will depend on how smart they can be as they scale. With a continued focus on innovation and a clear target customer value proposition – whether that’s migrants, freelancers, Millennials or students – there will be some tough decisions to make about which technology to keep in-house, and which to outsource. Will they choose to trade on the value of their proprietary systems? Or take the view that the value lies? in the front-end, and outsource the remainder?

One of the key challenges that traditional banks face is simply understanding the infrastructure that lies under the hood. Systems have been developed over so many years, by so many IT architects, for so many use cases and do not forget all the mergers and acquisitions, that it has become very difficult to untangle the technology wires that link business areas across Operations, Product, Customers and Channels.

The advent of Open Banking has thrown down both a lifeline and an intimidating gauntlet for large banks. A lifeline, assuming they have the opportunity to innovate, drawing on the advantages of trust and large existing customer bases to fend off digital rivals with new appealing product offerings. A challenge, in that they must now open up their systems to third parties, which brings both a competitive threat and a logistical challenge.

No such worry for nimbler challengers. Not only do they have the benefit of operating on new, lean tech stacks, but they have been born into a mentality of collaboration, and business model evolution. High Street Banks, by contrast, haven’t been tested in this regard historically, and are jostling to keep pace.

After a period of immense innovation in the challenger bank sector, the next phase will be a tale of expansion and consolidation – a battle that some will weather more successfully than others. Some have argued that those with in-house back-end tech will experience initial pain in scaling, due to the larger tech code base and infrastructure they must maintain. Others might counter that this will be offset by lower long-term operating costs per customer, and possibly greater flexibility in product development – which could make all the difference in the quest for customer wallets, hearts, and loyalty.

Operational management and innovation do not always sit comfortably next to each other, but young banks have a golden window of opportunity to future-proof their model. Smart, proactive, risk-based decisions will ensure that scale does not hamper the agility that propelled them into the spotlight in the first instance.

It’s more fun to count soaring customer numbers and glamorous media headlines, though, in my view, the winners will be those that take the time to unpick and monitor the systems that underpin their ability to create dynamic, responsive solutions. In this instance, good things will come to those who refuse to wait.

Hans Tesslaar, Executive Director at banking architecture network BIAN

To hear about GDPR in Portugal, this month we connected with João de Sousa Guimarães, Managing Partner Teixeira & Guimarães (T&G). Based in Proto, and with a branch office in Lisbon, the boutique firm provides financial and corporate legal support to national and global companies.

GDPR came into effect on 25^th May – how did the Portuguese Government prepare for the new regulations?

The truth is that until recently, there haven’t been any national regulations in relation to GDPR. The Portuguese Government in fact tried to dismiss the penalties for the public sector’s non-compliance, which was faced with divided opinions, as it meant that private companies are being treated differently. Thus, the Government didn´t get the national parliament’s approval to pass a set of regulations and the issue is still to be discussed.

Are the majority of Portuguese companies compliant with the new regulations now?

No, they are not. The previous EU data protection directive has been in effect over the past 20 years, but Portuguese companies weren’t taking it seriously. Since November 2017, we have noticed the effort that big corporations have been making to be GDPR compliant, but there’s still a long way to go – especially for Portuguese SMEs and the public sector.

What are the key GDPR challenges that Portuguese SMEs are faced with?

I believe that the key challenge they are faced with is the paradigm shift. Up until now, most of the SMEs in Portugal simply haven’t considered data protection as a major issue in today’s world. And I’m not only talking about digital customer relationships – there are so many companies that collect and store customer data in physical form, without having any internal safety policies. Most SMEs don’t fully understand the importance of data protection. They see the implementation of GDPR as something unnecessary that will only cost them money, as opposed to an opportunity to improve their relationships with the company’s stakeholders and clients.

The paradigm is shifting. And even though most SMEs are afraid of the penalties (and so is the Portuguese government itself), things have started to improve.

What is your piece of advice for companies that are not GDPR compliant yet?

I think the most important thing for companies that are not compliant yet is to understand this paradigm shift. They need to find the gaps between their current policies and what GDPR requires.  They then should seek advice on how to become compliant and properly handle their clients’, employees’ and service providers’ personal data.

About Teixeira & Guimarães

T&G has recently started the ESSA (Early Stage Startup Advising) programme, which consists of a number of legal services that entrepreneurs usually need assistance with. This includes things like intellectual property, corporate support and more.

The firm has excellent relationship with several universities, being the first (and only) law firm that has been case studied by an MBA International programme (at Catolica Porto Business School).

By January 2017, T&G was the first law firm in Portugal that had its quality management system certified by SGS ICS, within the scope of Legal Service Provider and Credit Litigation.

T&G is a founder associate of the Portuguese Association for FinTech and InsurTech (AFIP) and has been involved with the Portuguese Youth Entrepreneur Association (ANJE). The firm has provided legal mentoring to the Startup Porto Accelerator as well as to the Portuguese Business Angel Association (APBA).

Teixeira & Guimarães was awarded Boutique Law Firm of the Year 2018 by the Corporate Livewire Innovation & Excellence, as well Litigation Advisory Firm of the Year 2018 by the Finance Monthly Global Awards.

Website: http://www.tesg.pt/

Online fraud against UK citizens has become a topic for widespread discussion as more avenues for data theft are opened to criminals. Below Finance Monthly discusses with experts at Money Guru, the true value of your personal data and the cost of keeping it safe.

Experian places the annual cost of fraud against Brits at £6.8bn and, with more and more of our personal information available online, it’s likely to rise unless proper precautions are taken.

If you aren’t savvy with your data, which includes everything from social media logins to financial details, it could end up being available to malicious actors online through channels like the dark web.

Personal finance experts Money Guru have conducted research on several Dark Web marketplaces to find the average cost of stolen data. Their findings are shocking to say the least.

You could have access to someone’s entire online identity is available for less than £750.

26 of the most commonly used accounts available on the Dark Web, can be purchased for a grand total of… £744.30.

Digging deeper into the online services that each individual Brit is likely to use, it becomes even more shocking with the full details of 16 accounts including finance, travel, entertainment and email credentials, available for £696.90.

Let’s look at each individual data classification to find out how the loss of even one set of account details could seriously affect you.

Financial Information

Scammers can buy credit card and debit card details, online banking logins, passwords and PayPal account information – that’s all of these combined - for £619.40. This not only allows malicious actors access to your funds, but also a wealth of personal data that can be used for identity fraud.

Online Shopping Details

You may not be overly concerned with the security of your online shopping accounts, but they provide a great level of insight into your transactional habits as well as providing criminals the ability to order products through your account via a mail drop.

Travel Account Information

With access to accounts like Uber and Airbnb, malicious actors are given access to a lot of sensitive locational data. Not only can they access the basic details you enter to create an account, they will also be able to monitor your travel habits.

Entertainment Account Information
It’s tough to find someone who doesn’t have a Spotify or Netflix account these days making them a popular target for online criminals. At the less serious end of the spectrum it enables access to free entertainment while on the more sinister side it provides password clues to other associated accounts.

Social Media Account Information

There are few better methods of gaining insight into someone’s life than their social media accounts. These details are frequently stolen to sell to companies with little scruples about targeted advertising. It’s also a fast track to identity theft.

Email & Mobile Account Data

Being able to access emails and mobile account data provides fraudsters with a treasure trove of information about their target. It offers a jump off point for the popular, low-effort practice of spear-phishing – where a malicious actor tries to gain the credentials to more valuable accounts via social engineering and malware.

To compile this study, Money Guru accessed some of the most popular dark web marketplaces (‘Dream Market’, ‘Wall St Market’ and ‘Berlusconi Market’) to find an average price for each piece of personal data.

The big takeaway from their research is that your personal data really isn’t worth a great deal to online criminals. While the average amount stolen from a UK fraud victim is relatively small, 39% of cases result in £250 or more being stolen. In 25% of cases, this amount can vary from £500-£40,000.

The fact that it costs scammers less than £750 to access 26 accounts when it would only take a fraction of this number to potentially access tens of thousands is a frightening one.

General Data Protection Regulation is a ‘game changer’ for the financial services industry and many small firms are unlikely to be fully compliant with the new rules.

Nigel Green, the founder and chief executive of deVere, is speaking out since the implementation of GDPR, a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area.

Mr Green says: “GDPR is a game changer for the financial services industry – the biggest shake-up I can remember.

“Not only is it protecting clients further by putting them back in control of their personal data, but it is going to make the industry work smarter, harder and better.”

He continues: “One of the main day-to-day ways GDPR will impact financial services is that no longer will firms be able to poach staff asking them to bring client data with them. Unfortunately, this has been a highly unethical modus operandi for many smaller financial companies for far too long. This is now no longer possible.

“Another key way that GDPR will affect the admin operations of financial services companies is the storage and management of the data. Holding data without good reason to do so will no longer be allowed.”

Mr Green goes on to add: “Despite them having ample advance notice, due to the breadth and scope of GDPR, and because it represents a fundamental shift for some companies’ business models, many smaller firms will find it extremely challenging to meet the requirements.

“It is likely that they will have found, and will continue to find, it difficult to dedicate the time and resources to getting this right and being fully compliant – especially as many are still struggling with the costs and demands of Mifid II and other complex regulatory reforms.

“As such, we can expect that many smaller firms will be hit with hefty fines for failing to meet GDPR’s stringent standards.

“Bearing this in mind, GDPR will prove to be a ‘burden’ too heavy for some smaller companies, forcing them to exit the industry.”

The deVere CEO concludes: “GDPR represents a watershed moment for the financial services sector. This is an opportunity for all firms to redouble their efforts to overhaul their business practices where necessary, ensuring the clients’ interests are always front and centre.”

(Source: deVere Group)

Much that has been written about the General Data Protection Regulation (GDPR) relates to the burden of obtaining proper consents in order to process data. This general theme has provoked questions about whether and how financial institutions can process data to fight financial crime if they need consent of the data subject. While there are certainly valid questions, GDPR is much more permissive to the extent data is used to prevent or monitor for financial crime. Richard Malish, General Counsel at Nice Actimize, explains.

Clients and counterparties will oftentimes be more than happy to consent to data processing in order to participate in financial services. But consent can be withdrawn, so offering individuals the right to consent will give the impression that they can exercise data privacy rights which are not appropriate for highly-regulated activities.

Rather than relying on consent, the GDPR also permits processing which is necessary for compliance with a legal obligation to which the controller is subject and (2) processing which is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

Some areas of financial crime prevention are clearly for the purpose of complying with a legal obligation. For example, in most countries there are clear legal obligations for monitoring financial transactions for suspicious activity to fight money laundering. The European Data Protection Supervisor stated in 2013 that anti-money laundering laws should specify that "the relevant legitimate ground for the processing of personal data should… be the necessity to comply with a legal obligation by the obliged entities…." The 4th EU Anti-Money Laundering Directive requires that obliged entities provide notice to customers concerning this legal obligation, but does not require consent be received. And the UK Information Commissioner's Office gave the example of submitting a Suspicious Activity Report to the National Crime Agency under PoCA as a legal obligation which constitutes a lawful basis.

Very few commentators have attempted to cite a legal authority for anti-fraud legal obligations. The Payment Services Directive 2 (PSD2) requires that EU member states permit personal data processing by payment systems and that payment service providers prevent, investigate and detect payment fraud. But PSD2 has its own requirement for consent and this protection may fail without adequate implementing legislation in the relevant jurisdiction. Another possible angle is that fraud is a predicate offense for money laundering, and therefore the bank has an obligation to investigate fraud in order to avoid facilitating money laundering.

"Legitimate interests" are also permitted as a basis for processing. However, this basis can be challenged where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. Financial institutions may not feel comfortable threading the needle between these ambiguous competing interests.

However, the GDPR makes clear that several purposes related to financial crime should be considered legitimate interests. For example, "the processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest" and profiling for the purposes of fraud prevention may also be allowed under certain circumstances. It is also worth recognizing that many financial market crimes such as insider trading, spoofing and layering are oftentimes prosecuted under anti-fraud statutes.

Compliance with a foreign legal obligations, such as a whistle-blowing scheme required by the US Sarbanes-Oxley Act, are not considered "legal obligations," but they should qualify as legitimate interests.

While legal obligations and legitimate interests do not cover all potential use cases, they should cover most traditional financial crime processing. Some banks have been informing their clients that a legal obligation justifies their processing for AML and anti-fraud. Others have included legal obligations and/or legitimate interests as potential justifications for a laundry list of potential processing activities.

Financial institutions should use the remaining days before GDPR's effective date to provide the correct notifications to data subjects and confirm that their processing adequately falls under a defensible basis for processing. And with this basic housekeeping performed there is hopefully little disruption to their financial crime and compliance operations.

The arrival of the GDPR (General Data Protection Regulation) is less than a week away. However, many businesses are still not prepared for the legislation shake-up that could see huge sanctions imposed for non-compliance. Experts at UK based IT support solutions company, TSG, explain for Finance Monthly what the key considerations are when it comes to the finance sector.

If your business is unprepared for GDPR, you are not alone. A Populus survey conducted only this year revealed that 60% of UK businesses do not consider themselves “GDPR ready”. It’s definitely not too late to put measures in place to ensure compliance with the regulation. Following the introduction of GDPR on 25^th May, complying with GDPR will be a continuous journey.

What are the key areas you should be considering in light of the looming GDPR deadline?

Cyber-security tops the list

In this digital world, we produce, store and disseminate huge amounts of data. And a significant portion of that will be Personally Identifiable Information (PII); this is the data that matters under GDPR.

Even if, as a business, you don’t store customers’ sensitive data, you’ll still store the data of your employees. Therefore, all businesses must put measures in place to safeguard that digitally-stored data.

Encrypt everything

Arguably the most valuable cyber-security tool at your disposal is encryption. Not only is it a robust way to keep your data inaccessible to cyber criminals, it’s the only method that’s explicitly mentioned multiple times in the GDPR. Should any PII data you hold fall into the wrong hands – whether deliberately or accidentally – encryption will render it unintelligible. Encryption can operate at a file, folder, device or even server level, offering the level of protection most suited to your business needs.

Review your policies and processes

The GDPR requires you to implement policies that detail how you intend to process personal data and how you will safeguard that data. It also states that data controllers – that’s your business – must “adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default.” All new policies, whether specifically related to GDPR or not, must be compiled with a ‘privacy by design’ model. Existing policies, including your data protection policy, privacy policy and training policy should also be reviewed in light of GDPR.

Don’t forget subject access requests

Much of the coverage of GDPR has focused on two areas: data breaches and the potentially eye-watering fines. An area that’s arguably been overlooked is complying with subject access requests. Individuals can request access to the data you hold on them, verify that you’re processing it legally and, in some cases,, request erasure of their data – also known as the ‘right to be forgotten’. Under GDPR you’ll have only a month to respond to these requests, otherwise you’ll be at risk of non-compliance. More guidance on this can be found on the Information Commissioner’s Office (ICO) GDPR guide.

Don’t forget your reporting obligations either

Another element that’s received significantly less coverage is your reporting requirements. In the event of a data breach, businesses must report it to the Information Commissioner’s Office (ICO) within 72 hours of discovery. It’s especially important to note this, as failing to meet this obligation could be considered a bigger breach of the GDPR than the data leak itself. Both Uber and Equifax have come under fire in the past year for covering up breaches, reporting them late and keeping the extent of the breaches under wraps.

A good example to follow is Twitter. Following the discovery of a bug that stored users’ passwords in plain text – which is a bigger deal than it sounds – Twitter not only reported on the breach, but immediately informed its users of the bug, what caused it and the potential repercussions, and advised customers on how to keep their data safe. The second element of this is critical to GDPR too – if the breach poses a risk to individuals’ “rights and freedoms”, the victims of the breach must be informed too.

The key takeaway

The GDPR wasn’t created to punish businesses or to catch them out, but rather to empower individuals and consumers. Whilst there has been a lot of confusion around exactly what has been required for businesses, it’s clear that cyber-security is imperative, as is clueing up on your reporting and response obligations. It’s important to note that simply experiencing a cyber-attack or data breach won’t automatically result in financial punishment; the GDPR clearly states that, should you prove you put in place measures to protect your PII data, you won’t be hit with the most severe fines.

The long-awaited General Data Protection Regulation (GDPR) becomes legislation in a week, on 25 May 2018. Below Narrinder Taggar, Partner and defendant personal injury insurance litigation specialist at Shakespeare Martineau, sheds light on the extended implications of the regulation on the insurance sector.

With GDPR coming into play, organisations across a wide variety of sectors and industries, including insurance companies, will be forced to adjust and assess their data protection strategies or face fines of up to €20 million or 4% of annual turnover, whichever is greater.

The GDPR contains rules protecting individuals when their personal data is processed. This also includes further rights around how this personal data is handled and shared with other parties.

The sensitive nature of personal information used in many insurance claims could cause a serious headache for the industry and is set to cause significant disruption to how all parties involved in the insurance claims process store, manage and process personal data. The risk created when information is shared between claimants/their advisors, brokers; insurers and other parties, such as medical professionals, all of which would be classed as “data controllers”, is great.

A data controller determines the purposes, conditions and means of the processing of personal data. The data processor is the entity that processes data on behalf of the data controller.

But what about accident investigators, who are instructed to process data on behalf of the data controller? They may well be data controllers for the purposes of obtaining and drafting witness statements which would be subject to legal professional privilege until such time the statements are disclosed to any third parties. Of course, it should be noted that a claimant does not have a right to access any data which is subject to legal professional privilege.

With the GDPR placing a greater emphasis on transparency and accountability, the insurance industry will have to be even more careful with the storage of sensitive data. With personal data being intrinsically linked to the claims process and regularly being shared with third parties, the need to be prepared is particularly urgent and parties must rethink exactly how this information is shared during the process.

Hard copy documents such as instructions to barristers may have previously been sent in the post. However, under the new GDPR it remains to be seen whether this way of sharing sensitive documents will still be deemed to be a compliant activity. Instead, encrypting files containing sensitive personal data is set to become the norm.

Under the GDPR all data controllers will be responsible to ensure not only that the receiver, or processor, is GDPR-compliant, but also to find how they intend to store and use data and delete the data once it is no longer required. This can be achieved through the arrangement of a data sharing agreement. This might include a description of the data processing, an assessment of any possible risks and how those risks will be mitigated. Because of the need to ensure compliance throughout all stages of the process, those involved in insurance claims, for example insurers and their solicitors, should set up data sharing agreements with their contacts and suppliers; including other data controllers.

However, duty of compliance also continues after the claims have been settled. The 'right to be forgotten' places a responsibility on the controller to delete any personal data if requested by the subject and not to keep data any longer ‘than is necessary for the purposes for which the personal data is processed’. Yet, there are a number of grounds in which data controllers may keep personal data, including if it needs to be retained in case of any further legal proceedings for example appeals. Therefore, organisations may need to set their own retention periods for data depending on the information in question and how it may be used in future. It is worth remembering in this case that any data deemed relevant must be recorded and held securely offline.

Under the new requirements, data controllers will be obliged to report breaches to the relevant authority within the first 72 hours. Should a breach occur under the new legislation, the fault will lie not only with the data controller but could also lie with the data processor who shared the information, making it vital for all parties to be accountable for the information they process.

The GDPR has undoubtedly changed the goal posts for the insurance industry and many questions still remain around the identification of sensitive information and how the usual correspondence between parties will be affected after the new legislation is introduced. With such large penalties coming into play, the worry of doing something wrong has never been greater.

The industry currently awaits further guidance from the UK Information Commissioner on what the legislation will really mean in practice. However, with the deadline fast approaching, doing nothing is no longer an option. The industry must prioritise collaboration and transparency, in order to ensure they are fully prepared for the changes ahead.

GDPR requires every firm to classify, review and enhance controls around its third parties (ref: GDPR Chapter 4)

As the GDPR go-live date of 25^th May 2018 looms, every CFO and their colleagues responsible for both risk management and third parties should be aware of the importance of third-party relationships. Articles within the GDPR set out the fundamental requirements for ‘Data Controllers’ - about the nature of external contracts, the ongoing relationships with third-party ‘Data Processors’ and governing and managing those relationships effectively. Compliance around personal data is currently ‘centre stage’, but GDPR provides an opportunity for a firm to improve the way in which its relationships with all third parties are managed and controlled, to derive wider value and business improvement.

The impact on business reputation from effective third-party management

Most business sectors rely upon a complex network of interrelationships and interconnected processing - the so-called ‘extended enterprise’, or ‘business ecosystem’. Within such models, trust becomes a key issue. Dealing with an external partner or supplier means there is an implicit exchange of trust, and in doing so, you commit to trust the other party with your own, valued, business reputation. Any firm can transfer some responsibility to handle, protect and process personal data correctly, in line with an agreement between the parties. But it cannot transfer the accountability. This is recognised within GDPR, and also the impending, new UK Data Protection Bill.

That some unfortunate incident will arise somewhere within the web of business relationships around your own firm is increasingly probable. Through GDPR, the general public is becoming more informed and increasingly concerned about privacy. Anyone potentially impacted by any incident involving personal data, plus also the wider ‘court of public opinion’, will seek answers to fundamental questions, e.g. should the firm have considered the possibility of such an issue arising?  Could the firm have done more to mitigate the issue? This becomes more complex when third parties are involved in the business value chain.

The Information Commissioner’s Office (ICO), who may suddenly be alerted to your existence, would start any enquiries with such fundamental questions. If you struggled to meet the ICO’s expectations about senior management being accountable for understanding, and being assured about how personal data is processed and managed, including by any appointed third parties, doubtless you would be on the back foot.

As any breach involving personal data manifests, unfolds and becomes public, it is highly probable that your business reputation will be impacted in some way. Typically, significant management time will then be required to attempt to rebuild that reputation, with consequent impact on the bottom line.

Organising and prioritising GDPR work on third parties

Driven by GDPR, your corporate inbox may reflect letters from various third-party suppliers, often including proposed changes to contractual terms. A piecemeal approach to responding is unlikely to be sensible or efficient. As a minimum, the CFO, or fellow responsible executive, should lay down three very straightforward challenges:

The challenge is usually far larger than initially expected, i.e. there may be third-party relationships managed disparately across the firm, some with no formal contract; little understanding about how you might classify those relationships for data protection purposes; or an over ambitious estimate of the effort required to become compliant.

Identifying ‘processors’ and compliant contractual terms

The classification of each third-party relationship is vitally important. Fundamentally, not all a firm’s ‘third parties’ are Data Processors from a data protection perspective. For those relationships that involve personal data, many may actually be ‘controller to controller’. A few others may be in the ‘joint controller’ category.

Only the balance will be ‘controller to processor’, which then invoke the specific GDPR requirements on the management of, and assurance around, Data Processors. The ICO website provides useful guidance on the characteristics of the relationship to help determine this classification.

Although you should ideally be proactive in doing your own inventory and classification work, third parties writing to you should make it clear how they classify their relationship with you. You must verify this carefully. Some considerations here include: which party collects what type of personal data, according to what lawful basis; and which party(ies) is (/are) determining the purpose and how the personal data gets processed. Further detailed analysis is required in each specific case.

If you identify another party as a ‘processor’ of personal data, it is a key priority to ensure that a suitable, compliant contract exists. The predecessor to GDPR, the DPA 1998, set out two minimum contractual provisions i.e. re a processor acting on the controller’s instructions; and provisions to be in place to implement security over personal data.

For GDPR, the ICO website includes guidance on a further six key provisions that now need to be reflected in contracts with third-party processors. This complex area has not been understood or applied well in practice, so this guidance is helpful.

Ongoing responsibilities regarding privacy, oversight & assessment

A working definition of third-party risk management is ‘the implementation of policies, strategies and processes to identify, assess, manage, and control risks presented by external third parties throughout the life cycle of relationships’, i.e. certainly not a one off compliance exercise for GDPR, but an ongoing responsibility and an imperative for effective management, both of commercial outcomes and business reputation.

Crowe’s view is that there components are required for an effective third-party risk management approach that incorporates privacy risks. A comprehensive understanding of how personal data is handled across all business functions is a pre-requisite.

1. Third-party privacy management approach

The firm’s privacy policies and notices should have been reviewed and be compliant for GDPR. But the privacy management approach should include a process to manage privacy risks across the supplier lifecycle. It should include: a classification of third parties, by third-party type and business risk; an appropriate privacy impact assessment if required; the standard and execution of privacy due diligence; the requirement for periodic assurance on privacy elements; and privacy-aligned contractual clauses to be incorporated.

For high-priority third parties, you need to be clear on how the control framework at the third party operates, including how they would respond to any incident involving personal data.

2. Third-party oversight and control framework

Firms benefit from implementing a holistic oversight and control framework around their third parties. Taking privacy as just one of the components, this framework should incorporate all aspects required to manage third parties, including all required policies and standards. It should also include a formal reporting process, covering issues to be managed and escalated.

Definition of expected minimum standards for third parties is key, e.g. IT processing – ongoing ISO 27001 certification; core business processing – ongoing evidence through SOC reports; and payment processing – ongoing PCI-DSS compliance. Clearly, the specific standards and required controls will vary by type of third party. The involvement of the Finance function in monitoring key control standards can be essential.

3. An ongoing third-party assessment programme

An effective management and governance approach for third parties requires a tiered assessment programme, using a risk-based, ‘triage’ concept for the nature and frequency of that assessment. The programme should reflect how those reviews and visits get executed e.g. questionnaire, third-party site visit etc.

When it’s done right, it’s never done

Effective management of third parties is complex. It has become a ‘core competence’ in many firms, and a competitive differentiator between firms. A holistic approach means delivering ongoing assurance around third parties, within a structured and risk-based framework. Getting it right can bring commercial returns, but can also help to protect the firm’s reputation - including where events or incidents arise.

GDPR brings new energy, which, although just focused on the personal data management imperative, can be helpful in highlighting that third-party risks have typically not been well managed to date. GDPR brings an ongoing responsibility for compliance, but also for firms to continue to implement effective governance, control and accountability over their network of third-party relationships.

Website: www.crowehorwath.com/UK 

Crowe Horwath LLP is a member of the Crowe Horwath International (CHI) network of accounting, tax, risk and performance management firms. Crowe has years of experience implementing regulatory and compliance changes and helping firms refine their approach to risk management. Justin Baxter is a Partner in the London office and together with Neil Adams, and Neil Mockett, they are leading the development with clients of practical and pragmatic approaches to the challenges presented by GDPR and third-party risk management.