gdpr - the regulatory environment · principles of the gdpr duff & phelps 4 1. lawfulness,...
TRANSCRIPT
GDPR - The Regulatory
EnvironmentLatha Balakrishnan, Director
Compliance & Regulatory Consulting
Duff & Phelps
13 June 2018
Agenda
• GDPR recap & principles
• The regulators
• Powers of the ICO
• Impact on other regulations
• Example: Attracting global investors
• Data Subject Rights
• Data Subject Requests
• Breach reporting & what it involves
• Post implementation challenges
• Where have firms got to?
• Consequences & individual accountability
Duff & Phelps 2
Why is GDPR so Important? - Recap
• Sets new standards for protecting personal data
• Empowers individuals to take control of their personal data
• Creates uniform standards for data protection across Europe
• Forces culture change within businesses
• Makes controllers and processors aware of their responsibilities
• Affects businesses across the globe, not just those in Europe
• Privacy by design and by default
• Sanctions and penalties are significant
• Enforcement
Duff & Phelps 3
Principles of the GDPR
Duff & Phelps 4
1. Lawfulness, fairness and
transparency
Personal Data shall be processed lawfully, fairly and in a transparent
manner in relation to the Data Subject
2. Purpose limitation Personal Data shall be collected for specified, explicit and legitimate
purposes and not further processed in a manner that is incompatible
with those purposes
3. Data minimisation Personal Data shall be adequate, relevant and limited to what is
necessary in relation to the purposes for which they are processed
4. Accuracy Personal Data shall be accurate and, where necessary, kept up to date
5. Storage limitation Personal Data shall be kept in a form which permits identification of
Data Subjects for no longer than is necessary for the purposes for which
the Personal Data is processed
6. Integrity and confidentiality Personal Data shall be processed in a manner that ensures appropriate
security of the Personal Data, including protection against unauthorised
or unlawful processing and against accidental loss, destruction or
damage, using appropriate technical or organisational measures
7. Accountability The controller shall be responsible for, and be able to demonstrate
compliance with the GDPR
Who are the Regulators?
• Approach by EU authorities
• Appointing lead supervisory authority
Duff & Phelps 5
• Fines have made the headlines:
• But other consequences should not be ignored:
– to impose a temporary or definitive limitation including a ban on processing;
• Where there is a significant lack of focus on putting frameworks in place, or disregard of
data subjects rights, the ICO will stop firms processing data.
ICO Powers
Duff & Phelps 6
Impact on Regulations – 2003 Privacy & Electronic Communications
Regulation (PECR) and 2017 ePrivacy Regulation
Duff & Phelps 7
PECR (2003) GDPR (2016) ePrivacy (2017)
How does it define
personal data?
Information that relates to an individual and
is processed, wholly or partly, by automatic
means or by non-automated processing
within a filing system (same as DPA 1998)
Extends the range of information covered by
the DPA 1998 to include genetic and
biometric data as well as online identifiers
such as IP addresses
Same as GDPR
How does it benefit
individuals?
Individuals are given specific privacy rights
in relation to electronic communications,
including marketing communications and in
relation to the use of cookies
Individuals will be able to control how their
data is used, know where it is stored and
have a right to transfer, or in some
circumstances, erase it. In instances of
misuse, individuals will have increased
rights to legal recourse alongside existing
rights to compensation
Individuals will have sufficient protection
against unauthorised access or alteration to
electronic communications data and
confidential and safe transmission
How does it affect
companies?
Companies must ensure they have the
necessary consents to electronic direct
marketing. The requirements are different
depending on the form of electronic
communication. A company must also
obtain consent for any cookies ‘dropped’
Companies that process personal data must
have robust policies and procedures in
place. Processing must only be performed
under appropriately documented and
justifiable lawful bases. Where consent is
used it cannot be implied (no pre-tick
boxes). There must be policies in place to
allow data subjects to exercise their rights
under GDPR. Both data controllers and data
processors are subject to the GDPR, though
the obligations on processors are more
limited
Companies will need to review their consent
mechanisms and any reliance on cookies
for marketing, to ensure that the business
can continue to communicate with
consumers in the way that it wants to. The
requirements are stricter than in the PECR
Penalties for non-
compliance
Maximum fine of £500,000 Maximum fine of 4% of annual global
turnover or €20m, whichever is higher
Maximum fine of 4% of annual global
turnover or €20m, whichever is higher
Territorial scopeNo extraterritorial effect – organisations
outside the EEA are not subject to PECR
GDPR will apply to the processing of
personal data by businesses established
within the EEA, and to controllers or
processors established outside the EEA that
are conducting processing activities related
to the offering of goods or services to
individuals within the EEA, or monitoring the
behaviour of individuals within the EEA
ePrivacy will apply to entities anywhere in
the world that provide electronic
communications services to, or gather
information related to the terminal
equipment of, end users within the EEA
Example: Attracting a Global Investor Base
• SPOON Ltd is a UK headquartered asset manager with offices in the US and Luxembourg
• They are launching a new fund and wish to attract investors globally
• SPOON hires a PR firm, FORK to market their new fund to potential investors
• FORK facilitates a number of events in major financial centres including Luxembourg, Frankfurt, New York and Singapore
• The events are successful and FORK is able to provide SPOON Ltd with lots of new potential investors, some currently residents in the EU and some outside the EEA
• SPOON Ltd, as a UK headquartered company, is a ‘Controller’ and must treat all Personal Data as data in scope of the GDPR
• Spoon obtains names, emails and phone numbers of a number of potential investors
• Meetings and phone calls are arranged and the meeting notes are retained and phone calls recorded
• SPOON must verify their identity and carry out KYC and AML checks to complete client onboarding, potentially processing Special Categories of Data
• SPOON will be required to comply with the GDPR requirements for data controllers and put in place rigorous operational and technical controls to safeguard the Personal Data
• This will include appropriate Data Subject notices to provide transparency to all investors including their Non-EEA Data Subjects and appropriate contractual clauses with all third parties that might have access to such data and therefore acting as a ‘Processor’
• If the data collected is accessible by its US office it must treat this as a cross border transfer and have legal provisions in place such as appropriate contractual clauses
Duff & Phelps 8
Data Subject Rights
Data Subjects must be provided with the following
information:
• Who is collecting the information?
• What information is being collected?
• How is the information collected?
• Why is the information being collected?
• What is the lawful condition for processing?
• How will the information be used?
• Who will the information be shared with?
• Where will the information be stored or sent?
• How long will the information be kept for?
• What are the rights of the Data Subject?
Duff & Phelps Image source: https://premium.wpmudev.org/blog/gdpr-compliance/ 9
Not all rights are applicable to all lawful conditions for processing. For instance, KYC data
cannot be erased before the retention period has ended as the basis for processing is a legal
obligation but the Data Subject has the right to restrict the processing of this data strictly to KYC
requirements.
Data Subject Requests
• Data Subject Requests (not limited to access requests or DSARs) must be dealt with within 30
days
• Verification of identity will be an important first step in complying with a request – only the
Data Subject or an appropriately authorised representative can exercise their rights
• Data Subject Request Forms will be a useful tool in managing requests by prompting the
requestor to send verification documents, supply focused information about their request
(including specifics and applicable dates) and outlining restrictions and caveats to requests
made and how they will be handled.
• A log should be maintained of all requests as evidence in case a follow-up complaint is
received or made to the Supervisory Authority.
Duff & Phelps 10
Data Subject Request Form
Duff & Phelps 11
Breach Reporting
• The GDPR introduces a duty on all organisations to report certain types of personal data
breach to the relevant supervisory authority
• You must do this within 72 hours of becoming aware of the breach
• Breach notification should include the nature of the breach, when it occurred, when it was
discovered, the categories and numbers of affected data subjects and records, the likely
consequences, proposed mitigation measures and evidence of the breach and actions
taken/planned
• The strong implication is that a breach may not only trigger ICO fines, but also the FCA’s wide
range of sanctions
• Principle 11 notifications may be required
• Other regulators may be involved or request information
• Remember your audit trails
Duff & Phelps 12
When to Report a Breach?
Duff & Phelps 13
Breach
•An employee informs IT that they have left their laptop on a train
•IT inform the Data Protection team
Investigation
•The Data Protection team investigate the severity of the breach
•IT confirm the laptop is password protected and trackable
•Location services track the laptop to the train providers lost and found depot
Decision
•The Data Protection team decide not to report the breach as the laptop is recoverable and shows no evidence of tampering
•The laptop is recovered from the depot
Breach
• An employee informs IT that they have clicked on an email link from the regulator to download a pdf report but they are getting an error message when they open the download
• IT discover the email was fraudulent and clicking the link has installed ransomware
• Local and network files are encrypted until a payment is made to the hacker
Investigation
• The Data Protection Officer investigates the severity of the breach
• IT confirm that all client data including KYC verification documents are at risk
• The hacker has control of large volumes of Personal Data including Special Categories of Data
• Remediation plan includes a data rollback from the cloud service provider however some file types may not be recoverable
Decision
• The Data Protection Officer deems it necessary to report the breach to their National Supervisory Authority
• Although they are certain to recover the majority of the data they cannot guarantee that all data will be recovered or that it won’t be used by the hacker to target individuals through identity fraud
• Staff training and awareness is flagged as a priority issue as the fake email had telltale signs
Scenario 1: Lost Laptop Scenario 2: Malicious attack
LOW risk to
Data
Subjects
HIGH risk to
Data
Subjects
Post Implementation Challenges
• Legitimate interest and consent
• Impact assessments
• Assurance – how good is governance and control?
• Data mapping consent – practicalities i.e. children
• Dealing with Data Subject Access Requests (DSARs)
• Understanding and controlling data flows throughout the lifecycle of processing
• Cross border transfers of data
• Governance – appropriate framework for business size and complexity
• Balancing act – managing risk from legal obligations to collect and retain data
• Periodic cyber resilience and framework testing
• Staff training
• Audit trails are required – breaches, incidents and near misses – documenting actions
Duff & Phelps 14
Post Implementation - the Headlines
Duff & Phelps 15
Financial Times – 25 May 2018
• “if the cost of complying is significant, that speaks less to the rule than to the fact that companies
have collected and stored our data in ways that ought to make us uncomfortable.”
• “Tech start-ups, video game makers and advertising technology businesses are among several small
US companies pulling out of the EU rather than risk falling foul of the GDPR”
• “The European Data Protection Board (EDPB)… should make sure that, once the initial transition
period is over, the cost of compliance does not put small businesses at a permanent
disadvantage.”
• “Will the national DPAs have the financial muscle to take on powerful companies?
• “Rights are empty unless exercised.”
• “Companies have been flooding inboxes… this is just the most visible part of the regulations… GDPR
requires much more, pushing businesses to consider privacy in the culture of their operations and
design of their products.”
• “How GDPR is embedded in the operation of both products and the companies themselves is
harder to see from the outside”.
• “There are a lot of people who woke up at the last minute and they are asking for support.”
• “Tougher privacy rules are expected to spread to other jurisdictions. That means costs will go on
rising… The $15m-odd price tag… the average big company will spend on GDPR is likely to be just
the start.”
Duff & Phelps 16
Contradictory Words from the Regulators?
• France: companies that have not achieved full compliance “can expect to be treated leniently
initially provided that they have acted in good faith.”
• Netherlands: “no provision has been made in law for a grace period from compliance with the
GDPR,” “an organisation can minimise and mitigate against the potential consequences and
sanctions that they could face . . . with a healthy GDPR compliance programme... and a
genuine commitment and best efforts to meeting their GDPR obligations.”
• Austria: Andrea Jelinek, president of the newly formed European Data Protection Board
(EDPB), warned that “If there are reasons to warn we will warn; if there are reasons to
reprimand we will do that; and if we have reasons to fine, we are going to fine.”
• UK: Elizabeth Denham issued this statement “I’m sure many of you are prepared and ready to
go. But to small and micro-businesses, clubs and associations who are not quite there, I say …
don’t panic! Today is not the end of anything, it is the beginning, and the important thing is to
take concrete steps to implement your new responsibilities — to better protect customer data.
My office is looking forward to continuing to work with you to help.”
• European Commission: Anonymous official - "If there is a breach discovered the day after,
the GDPR will apply…I hope that every company dealing with our personal data takes the May
deadline very, very seriously."
Duff & Phelps 17
Not Really! – You must show evidence of willingness to comply
Where have Firms got to?
• Globally, less than 1% have done ‘nothing at all’
• Small and medium-sized businesses in the UK spent on average more than 600 hours to ensure compliance before 25th May
• GDPR has directly changed strategies or operations as well as affecting financial goals – perceived consequences from executives are operational disruption (38%), slower growth (28%) and slower innovation (28%)
• GDPR has triggered opportunities for more efficiency, security and privacy awareness
• Adapted approaches to information governance has shown beneficial improvements in securityand reduced risk exposure – 81% say their compliance of information has improved
• Other perceived benefits include increased customer satisfaction (36%), improved brand image (31%) and increased internal collaboration (21%)
• Global organisations moving towards one privacy standard to stay consistent across markets
• Varied approaches from household names:
– Facebook pushed opt-in privacy notices to users worldwide. European users that did not consent to the T&Cs will be stopped from using the site
– Microsoft is extending GDPR-like data subject rights to consumers globally
– The Washington Post is monetising their compliance efforts by offering tiered subscription packages including an ‘EU Premium Subscription’ that charges extra for no on-site advertising or third-party ad-tracking.
• GDPR-like privacy regulations already exist in China, South Korea, India, Singapore, Australia and Israel
• Other non-EU countries are reviewing GDPR as a model for their own privacy legislation
Duff & Phelps Statistics Source: Economist Intelligence Unit 30th May 2018 18
Gulf in GDPR Understanding and Compliance
Duff & Phelps 19
Consequences of Compliance Failure
REPUTATIONAL DAMAGE
• Failure to comply with the GDPR can impact on reputation and result in heavy losses (e.g. customers, key employees, market shares)
• The obligation to report data breaches to the National Supervisory Authority (and to Data Subjects) multiplies the possibility of a negative impact on the reputation of the firm.
COMPENSATION CLAIMS
• Any person who has suffered material or non-material damages as a result of an infringement of the GDPR can seek compensation for the damage suffered.
• The Data Subject can pursue claims in Court (in a jurisdiction of their choice) to obtain compensation.
SANCTIONS
• Sanctions are imposed by the National Supervisory Authority following investigations or claims.
They can issue or impose:
– A warning (for minor non-conformity)
– A Reprimand
– Monetary fine
– A temporary or definitive limitation including a ban on processing (this could cause a significant
interruption to business activities and potentially harm reputation)
Monetary fines can be up to €20 Million or up to 4% of the total worldwide annual turnover of the
preceding financial year (whichever is higher).
Compliance Failure: University of Greenwich
• University of Greenwich recently fined £120,000 by the ICO
• Why? A web server set up by a student for a conference in 2004 was left forgotten
• The University’s Computing and Maths School held a training conference and one of the academics involved asked a student to build a web microsite. The site included a facility for conference academics to upload documents anonymously via URL
• The server was linked to a database containing the personal data of 19,500 University staff, students, alumni, and conference attendees.
• The data also included more sensitive personal data of 3,500 people covering learning difficulties, staff sickness, food allergies, and extenuating circumstances put forward by students during their studies.
• Left forgotten, unmapped and without regular security improvements cybercriminalseventually chanced upon the susceptible server with an initial breach in 2013
• In 2016, with the help of an SQL flaw and some uploaded PHP exploits, the personal data linked to the server was breached several times and a hacker posted the data online making the breach public knowledge
• What went wrong? Nobody remembered (or had the job of) shutting this down once the conference had finished and so it sat there for years as new vulnerabilities were discovered, patches were applied, skills were improved on all sides and attacks on web servers became everyday occurrences.
Duff & Phelps Article Source: https://nakedsecurity.sophos.com 21
Individual Accountability
Duff & Phelps 22
• Of the 96 reprimands that were made publicly available in 2017 by the ICO, 11 were directly aimed
at individuals and not just the company they work for.
• These were for offences of unwarranted accessing of Personal Data and sending sensitive data to
personal email accounts without reason.
• The figures highlight a significant leap in such reprimands, since no individuals were publicly
targeted by the ICO in 2016.
• In May 2018 alone, two individuals were fined:
– One, a former recruitment consultant was fined £355 and ordered to pay £700 costs and £35
victim surcharges for illegally obtaining personal information. After handing in his notice to his
former employer, he took a total of 272 CV’s from the employer’s database
– The second was a company director who failed to comply with an Information Notice sent on 4
October 2017 to which the company failed to respond. The company was fined £1,000.00 with a
£100.00 victim surcharge. The director was fined £325.00 with a £32.00 victim surcharge and
ordered to pay costs of £364.08.
• Firms are at risk not only of fines, but also of highly negative media attention and commercial
impact.
• The FCA will also hold individuals accountable for failings in SYSC, particularly under SMCR which
is already enforced in dual regulated firms and due to be rolled out to all FCA regulated firms in the
next two years.
Latha joined Duff & Phelps in February 2016 and specialises in regulatory compliance. Currently she is leading
the GDPR services for Duff & Phelps Regulatory Consulting globally.
With over 25 years’ experience, Latha’s career spans banking, compliance, regulation and consultancy. She
has extensive global experience and skills across a broad spectrum within financial services, built through
exposure in retail, wholesale and commercial banking, operations, internal audit, project management,
compliance and regulatory supervision. As a risk and compliance professional, Latha has extensive experience
and has held senior compliance roles in several countries including in the UK.
In particular, during her time as a UK regulator, Latha gained extensive exposure to and supervisory oversight
of a broad range of businesses within large banking groups including wholesale, retail, insurance and wealth
management. In her role as Director of Compliance for the British Business Bank plc, she was responsible for
setting up the Compliance function including establishing frameworks to address a number of risks. More
recently, Latha has commented in industry press globally and produced thought leadership on the subject of
GDPR.
She is also a guest lecturer at the University of Reading, teaching at post-graduate university level on topics
covering conduct regulation in the UK.
t: +44 20 7089 0885
e:latha.balakrishnan
@duffandphelps.com
Latha Balakrishnan
Director
For more information about our global
locations and services, please visit:
www.duffandphelps.com
About Duff & Phelps
Duff & Phelps is the global advisor that protects, restores and maximizes value for clients in the areas of valuation, corporate finance, disputes
and investigations, compliance and regulatory matters, and other governance-related issues. Our clients include publicly traded and privately
held companies, law firms, government entities and investment organizations such as private equity firms and hedge funds. We also advise the
world’s leading standard-setting bodies on valuation and governance best practices. The firm’s nearly 2,500 professionals are located in over 70
offices in 20 countries around the world. For more information, visit www.duffandphelps.com.
M&A advisory, capital raising and secondary market advisory services in the United States are provided by Duff & Phelps Securities, LLC.
Member FINRA/SIPC. Pagemill Partners is a Division of Duff & Phelps Securities, LLC. M&A advisory and capital raising services in Canada are
provided by Duff & Phelps Securities Canada Ltd., a registered Exempt Market Dealer. M&A advisory, capital raising and secondary market
advisory services in the United Kingdom and across Europe are provided by Duff & Phelps Securities Ltd. (DPSL), which is authorized and
regulated by the Financial Conduct Authority. In Germany M&A advisory and capital raising services are also provided by Duff & Phelps GmbH,
which is a Tied Agent of DPSL. Valuation Advisory Services in India are provided by Duff & Phelps India Private Limited under a category 1
merchant banker license issued by the Securities and Exchange Board of India.