GDPR in financial services - 2022 data regulatory hotspots

Compliance with data protection law and guidance can be a significant burden for financial services organisations. Firms would be well-advised to undertake a periodic temperature check to assess where they are in terms of compliance, taking into account the latest regulatory enforcement activity and guidance, any relevant case law and market practice.

This article examines three data protection regulatory hotspots for financial services organisations in 2022:

• the continuing impact of Brexit;
• international transfers of personal data; and
• data breach response.

The consequences of Brexit on data protection compliance

Since the UK left the European Union, two sets of data protection regimes now exist: UK General Data Protection Regulation (GDPR) and the EU GDPR. Financial services firms operating within the UK and Europe now need to consider both regimes. There are derogations and some differing guidance at a national level, but the fundamental principles and requirements of the UK and EU GDPRs remain the same. A homogeneous GDPR compliance programme can therefore be implemented to encapsulate the processing of UK and EU data. The practical consequences of Brexit to date have mainly been limited to:

• administrative amendments to contract wording and fair processing notices to include references to the UK as separate from Europe;
• changes to the designation of a lead supervisory authority in Europe, if the previous lead supervisory authority was in the UK; and
• where financial services are based outside the UK and EU and caught by the extraterritorial scope of the GDPR, appointing representatives in both the EU and UK.

Significant change could be on the horizon, however. In September 2021, the UK Department for Digital, Culture, Media and Sport (DCMS) launched a consultation on the future of UK data protection law, proposing changes to the existing legislation. The timeframe for any proposed changes is unknown, although if the Brexit Freedoms Bill comes to pass, changes could be passed through with little, if any, parliamentary scrutiny.

A careful balancing act by government is required. Crucial to the UK data economy is the finding of "adequacy" of the UK data protection regime which allows the free flow of data from the EU to the UK without additional safeguards. Any perceived reduction in the protection of data from the UK could lead to a failure to renew the UK adequacy finding when it is set to expire in June 2025.

The reality of the situation will be that for those with both UK and European operations, it will make sense to apply a higher European standard to all operations.

International transfers post-Schrems II

Under the GDPR, personal data may only be transferred outside of the EEA/UK (as applicable) where:

1. the recipient is based in a country with an adequacy determination; or
2. the transfer is subject to appropriate defined safeguards; or
3. a derogation applies.

The defined safeguards referred to in (2) above include putting in place a standard form contract between the exporter of the personal data within the UK and EEA and the importer of the data outside the UK and EEA, known as the standard contractual clauses (SCCs), and transferring data to a U.S. company that was a member of the Privacy Shield framework. An organisation exporting data from the UK and EU typically considered compliance with the rules regarding extra EEA transfers of personal data had been met by putting this contract in place, or checking the status of membership to the Privacy Shield with no further questions asked about the way the data was handled in the jurisdiction of the importer.

This approach to data transfer compliance was completely overhauled, however, by the landmark case of Schrems II, which challenged the validity of the EU SCCs and Privacy Shield. There were two significant consequences of this case: (i) the Privacy Shield was immediately declared as an insufficient mechanism for compliantly transferring data to the United States; and (ii) organisations relying on the SCCs were obliged to undertake further assessments of the law and practices of the jurisdiction to which they were sending the data and could not rely on the SCCs alone.

As a consequence, onerous European Data Protection Board guidance was published which obliges companies to undertake detailed "transfer impact assessments" (TIAs) assessing the laws and practices of the jurisdiction for which data is being sent. The Information Commissioner's Office (ICO) published a consultation on its draft guidance for international transfers of personal data, and associated transfer tools setting out the requirements of a transfer risk assessment (TRA). The TRA tool is designed to be used for lower-risk, routine transfers. It cannot be used for high-risk or too complex transfers, as such transfers will need a more detailed risk assessment and there is as yet no guidance on what these should include. The finalised guidance is expected imminently.

The EU has also released new versions of the SCCs, with a December 2022 deadline for repapering all existing agreements. The UK has issued its own version of an international transfer agreement known as the IDTA, or an alternative approach of a UK addendum to the EU SCCs. Deadlines for remediation in the UK are longer, and firms have until 2024.

This has had a significant consequence for financial services firms, which have had to start mass remediation programmes looking at the compliance of their data transfers outside the UK and EU.

It will be near-impossible to achieve zero risk when making an international transfer of personal data, and firms should therefore focus on risk management of the residual risk and using their TIAs/TRAs to assess this risk:

• Has the firm done everything to eliminate the risk to privacy? Can it encrypt the data so that it is not readable in the importing jurisdiction?
• Is there a UK/EU data centre option?
• How important, given the risk of non-compliance, is this data transfer to the organisation?

There is a glimmer of hope on the horizon. The European Commission and the United States have recently reached an agreement in principle for a Trans-Atlantic Data Privacy Framework — in effect, a Privacy Shield 2.0. This framework has not been formally passed, however, and there is little detail as yet on how the new framework will address the concerns raised by Schrems II.

Stress testing the firm's data breach response procedures

With reported security data breaches at an all-time high, financial services firms should be minded to dust off their data breach procedures and stress test them for when they — perhaps almost inevitably — find themselves the subject of a data breach.

Prevention will always be better than cure, but a properly managed data breach could offset the potential losses flowing from a breach.

Points for consideration when looking at the firm's data breach policies and procedures are:

• Assessing whether a breach is material enough for notification is rarely a straightforward decision, and firms could be minded to draw up their own internal guidelines as to what, in their view, would be notifiable in terms of numbers and types of data in advance.
• Considering wider reporting obligations such as contractual obligations and requirements under an applicable insurance policy.
• Identifying any "key personnel" whose absence in the event of a data breach would affect the firm's ability to respond appropriately.