ICO : “It is an evolution not a revolution"
“It is an evolution not a revolution”.
The Information Commissioner’s Office (ICO) mantra.
Over the past six weeks, I am sure that, like me, you have heard this from all sides, from traditional media and social media. So, nothing to fear, you have seen it all before, you can adapt, and it will be easy and painless as you already understand.
Collectively we should analyse this statement and see if it holds up under scrutiny.
Key concerns amongst the investment industry are that GDPR comes at a time when regulatory fatigue is at breaking point. The number of people deployed, and the amount of both intellectual and physical capital that has been exhausted in meeting the new regulations since 2007, has reached such epic proportions that had most known this was going to be the ever-changing cycle, many would have packed up ten years ago. The movements are challenged by two conflicting views; on one side, that self-regulation failed and that it is now beholden on governments, regulators and supra-national bodies to tell us what we can and cannot do, and the conflicting view that this was not really the industry’s fault and that really the failures came from government, central banks and panic and outcry from the circumstances created by their failure to control money supply. This then led to finding a scapegoat, which became the finance industry itself. The truth is somewhere in the middle.
The response, however, has not been in the middle. It has been a one-sided attack on business practice, with the public sector admonishing itself of all responsibility. Not particularly edifying. One thing that is noticeable about GDPR is that it regulates the public sector more stringently than the private. This is so rare in today’s context that it should be shouted from the rooftops. Perhaps the balance is finally being addressed in one small way but there is no doubt that the industry sees another regulation - hot on the heels of everything that has gone before - as the straw that is breaking the camel’s back.
Evolution suggests that the start point is the end of the previous iteration. The Data Protection Act (DPA) in the UK covers a great many number of the issues that are now being addressed forthrightly in GDPR.
This was addressed robustly in the previous regulation and in this most sensitive of areas they are correct in stating that it is evolving. If one were to look at most of the commentary around GDPR in early project discussions it has been with sales and marketing that most concerns have come to the fore. Who can I talk to? How can I talk to them? Do I get have to get consent to do so? These have been the largest and longest of discussions. Most people now recognise that they don’t need someone’s consent to contact them. It needs to be proportionate and needs to stop when asked to; common sense prevails.
2. Personal Data Requests (Now called Subject Access Requests)
The other area where we see evolution is in notification and subject access requests. The medical industry is ahead of the other sectors with this as people have understood their right to see their medical files for at least a decade, if not more. This is a Subject Access Request and has been enabled in the DPA for a great deal of time. Reporting and notification times were 45 days - now 30 -but with a right to extend a further 60 days if the query is arduous or convoluted. This is pure evolution. The access and then right to amend and forgotten are already in place (one can argue they are ineffective, but they are there). In this, the ICO is correct. One area of meaningful change is that fees can no longer to be charged under GDPR, unless repetitive or excessive, where they could be charged for under the DPA. It’s more cost the industry will have to absorb, but definitely an evolution.
In the Middle
The administrative fines are going to be able to be made much, much, bigger, (up to 4% of your group turnover), but the regulator can fine you today so in that sense it’s an evolution. Do they? Well you can argue they do, but the counter argument that they are not meaningful, or in most cases that they don’t, probably has greater weight. What is noticeable is the number of data privacy breaches that companies are now bringing to the fore just before the fine levy increases are imposed; this is almost an amnesty when you see the size of the potential punishment. I would argue that really that’s revolutionary because the criminal sanctions that have been added and the size differences change the entire tone of the engagement between ourselves and the regulators but both sides have a case in arguing to either evolution or revolution.
This is vastly enhanced and largely covers just about everyone on the planet under several circumstances. So much so that companies now must have an EU representative organisation to become the bearer of fines and regulatory scrutiny. It enforces policy on businesses outside EU jurisdictions by stealth and third-party engagement.
Design of all systems ongoing to derive privacy by design. It will mean back to the drawing board for many systems and make some which have already been developed unfit for use in the EU or by businesses servicing EU customers. Luckily it isn’t retrospective, but it will force momentous change in the future. Systems were never covered in the DPA.
3. New or Enhanced Roles
Data Controller – Criminal liability for misuse of personal data (PII) - Prison.
Data Protection Officers (DPOs) are now mandatory for public bodies, and pretty much necessary for anyone selling retail. Most investment funds, unless trading private proprietary money, should be thinking about at least an outsourced DPO (see my previous article in AlphaWeek). In the past, it was a message that said we record your calls before you get connected, for most businesses (largely due to the Privacy in Electronic Communications Act).
Marketing brochures need to be amended but more importantly organisations must make it as easy for people to stop a service as it is to start one. This has all sorts of connotations for business as it could be months of work being opted out of in seconds due to enabling this through automation.
This isn’t a big topic for our business as finance rules restrict most of our business to adults, but it is noticeable that children are no longer allowed to give informed consent and that definitions for children vary across most EU countries as they choose them through derivations. A cost to the trust - private trust business possibly.
6. Record Keeping
This is vastly different. The level of documentation required and the nature of the decision-making process through to the Data Privacy Impact Assessments that must be conducted mean huge overheads.
7. Breach Reporting
It’s now mandatory to report a breach within 72 hours if data privacy has been impacted. This will require a team not unlike Business Continuity to be put in to place inside most decent size firms, with clear actions and procedures as there will not be enough time in the event of an episode to agree amongst participants. This represents a huge change from reactive and non-disclosed breach reporting.
8. Encryption and pseudonymisation
Some mandatory encryption and pseudonymisation of personal data with regards to special interests and sensitive information is now required. More importantly, the regulation uses its standard phrase of ‘appropriate organisational and technical measures’ to prevent unauthorised data spills. This means that whatever the ICO decides is appropriate is the standard to which you will be held. Businesses will not know what that is until we have enough case law precedence which means for the first few years it will be whatever the ICO, with the benefit of hindsight, thinks. It’s not a happy situation and much less happy if it’s you they are investigating. Beware.
9. International Transfers
GDPR changes the nature of who is deemed appropriate to receive data with regards to third countries. Data controllers and processors are deemed to have to abide by restrictions hence the reason you have received hundreds of emails from every cloud-based company looking to offlay their responsibilities back to you and your business (which by the way they can’t but want you to think they can).
Like the passporting regime, it is the EU that determines who are the appropriate countries. So, it looks like the scoring at the Eurovision Song Contest with the ridiculous situation that sending data to Argentina (Spain wanted it) is fine but sending to Australia or the US (UK wanted it) isn’t. The US has had two different attempts to address this concern; Safe Harbor(sic) & Privacy Shield. Safe Harbor failed and it looks as if Privacy Shield is about to go the same way.
It is possible through Binding Corporate Rules (BCR) to circumvent these problems, and pre-BCR approval by the EU was removed. So at least, for the time being, business can send to third countries without the EU’s say so, but if business does not audit and make checks on third country suppliers to make sure they upkeep GDPR standards, that will change. I will address this in greater detail in my next article.
If this isn’t a revolution, I don’t know what is. The Investment Industry is going to find itself coming under intense scrutiny (it’s got deep pockets and is an easy target) sooner than it thinks. Judging from my own deliberations with the market, that of my fellow professionals, and the collective surveys being undertaken, the industry is woefully under-prepared. Addressing this, is going to significantly increase the cost of compliance either in manual processes with more people or automation. We would recommend the latter or this will become a never-ending cycle of remediation, degrading compliance and then back to remediation. Put simply, the ICO is featherbedding the impact of this (no doubt for the best of reasons, i.e. not to cause panic) and the industry will wake soon to the realisation that the impact on their business is going to be truly significant and that most of them have left themselves vulnerable to an extinction level event that needed fixing yesterday.