GDPR - The Regulatory

EnvironmentLatha Balakrishnan, Director

Compliance & Regulatory Consulting

Duff & Phelps

13 June 2018

Agenda

• GDPR recap & principles

• The regulators

• Powers of the ICO

• Impact on other regulations

• Example: Attracting global investors

• Data Subject Rights

• Data Subject Requests

• Breach reporting & what it involves

• Post implementation challenges

• Where have firms got to?

• Consequences & individual accountability

Duff & Phelps 2

Why is GDPR so Important? - Recap

• Sets new standards for protecting personal data

• Empowers individuals to take control of their personal data

• Creates uniform standards for data protection across Europe

• Forces culture change within businesses

• Makes controllers and processors aware of their responsibilities

• Affects businesses across the globe, not just those in Europe

• Privacy by design and by default

• Sanctions and penalties are significant

• Enforcement

Duff & Phelps 3

Principles of the GDPR

Duff & Phelps 4

1. Lawfulness, fairness and

transparency

Personal Data shall be processed lawfully, fairly and in a transparent

manner in relation to the Data Subject

2. Purpose limitation Personal Data shall be collected for specified, explicit and legitimate

purposes and not further processed in a manner that is incompatible

with those purposes

3. Data minimisation Personal Data shall be adequate, relevant and limited to what is

necessary in relation to the purposes for which they are processed

4. Accuracy Personal Data shall be accurate and, where necessary, kept up to date

5. Storage limitation Personal Data shall be kept in a form which permits identification of

Data Subjects for no longer than is necessary for the purposes for which

the Personal Data is processed

6. Integrity and confidentiality Personal Data shall be processed in a manner that ensures appropriate

security of the Personal Data, including protection against unauthorised

or unlawful processing and against accidental loss, destruction or

damage, using appropriate technical or organisational measures

7. Accountability The controller shall be responsible for, and be able to demonstrate

compliance with the GDPR

Who are the Regulators?

• Approach by EU authorities

• Appointing lead supervisory authority

Duff & Phelps 5

• Fines have made the headlines:

• But other consequences should not be ignored:

– to impose a temporary or definitive limitation including a ban on processing;

• Where there is a significant lack of focus on putting frameworks in place, or disregard of

data subjects rights, the ICO will stop firms processing data.

ICO Powers

Duff & Phelps 6

Impact on Regulations – 2003 Privacy & Electronic Communications

Regulation (PECR) and 2017 ePrivacy Regulation

Duff & Phelps 7

PECR (2003) GDPR (2016) ePrivacy (2017)

How does it define

personal data?

Information that relates to an individual and

is processed, wholly or partly, by automatic

means or by non-automated processing

within a filing system (same as DPA 1998)

Extends the range of information covered by

the DPA 1998 to include genetic and

biometric data as well as online identifiers

such as IP addresses

Same as GDPR

How does it benefit

individuals?

Individuals are given specific privacy rights

in relation to electronic communications,

including marketing communications and in

relation to the use of cookies

Individuals will be able to control how their

data is used, know where it is stored and

have a right to transfer, or in some

circumstances, erase it. In instances of

misuse, individuals will have increased

rights to legal recourse alongside existing

rights to compensation

Individuals will have sufficient protection

against unauthorised access or alteration to

electronic communications data and

confidential and safe transmission

How does it affect

companies?

Companies must ensure they have the

necessary consents to electronic direct

marketing. The requirements are different

depending on the form of electronic

communication. A company must also

obtain consent for any cookies ‘dropped’

Companies that process personal data must

have robust policies and procedures in

place. Processing must only be performed

under appropriately documented and

justifiable lawful bases. Where consent is

used it cannot be implied (no pre-tick

boxes). There must be policies in place to

allow data subjects to exercise their rights

under GDPR. Both data controllers and data

processors are subject to the GDPR, though

the obligations on processors are more

limited

Companies will need to review their consent

mechanisms and any reliance on cookies

for marketing, to ensure that the business

can continue to communicate with

consumers in the way that it wants to. The

requirements are stricter than in the PECR

Penalties for non-

compliance

Maximum fine of £500,000 Maximum fine of 4% of annual global

turnover or €20m, whichever is higher

Maximum fine of 4% of annual global

turnover or €20m, whichever is higher

Territorial scopeNo extraterritorial effect – organisations

outside the EEA are not subject to PECR

GDPR will apply to the processing of

personal data by businesses established

within the EEA, and to controllers or

processors established outside the EEA that

are conducting processing activities related

to the offering of goods or services to

individuals within the EEA, or monitoring the

behaviour of individuals within the EEA

ePrivacy will apply to entities anywhere in

the world that provide electronic

communications services to, or gather

information related to the terminal

equipment of, end users within the EEA

Example: Attracting a Global Investor Base

• SPOON Ltd is a UK headquartered asset manager with offices in the US and Luxembourg

• They are launching a new fund and wish to attract investors globally

• SPOON hires a PR firm, FORK to market their new fund to potential investors

• FORK facilitates a number of events in major financial centres including Luxembourg, Frankfurt, New York and Singapore

• The events are successful and FORK is able to provide SPOON Ltd with lots of new potential investors, some currently residents in the EU and some outside the EEA

• SPOON Ltd, as a UK headquartered company, is a ‘Controller’ and must treat all Personal Data as data in scope of the GDPR

• Spoon obtains names, emails and phone numbers of a number of potential investors

• Meetings and phone calls are arranged and the meeting notes are retained and phone calls recorded

• SPOON must verify their identity and carry out KYC and AML checks to complete client onboarding, potentially processing Special Categories of Data

• SPOON will be required to comply with the GDPR requirements for data controllers and put in place rigorous operational and technical controls to safeguard the Personal Data

• This will include appropriate Data Subject notices to provide transparency to all investors including their Non-EEA Data Subjects and appropriate contractual clauses with all third parties that might have access to such data and therefore acting as a ‘Processor’

• If the data collected is accessible by its US office it must treat this as a cross border transfer and have legal provisions in place such as appropriate contractual clauses

Duff & Phelps 8

Data Subject Rights

Data Subjects must be provided with the following

information:

• Who is collecting the information?

• What information is being collected?

• How is the information collected?

• Why is the information being collected?

• What is the lawful condition for processing?

• How will the information be used?

• Who will the information be shared with?

• Where will the information be stored or sent?

• How long will the information be kept for?

• What are the rights of the Data Subject?

Duff & Phelps Image source: https://premium.wpmudev.org/blog/gdpr-compliance/ 9

Not all rights are applicable to all lawful conditions for processing. For instance, KYC data

cannot be erased before the retention period has ended as the basis for processing is a legal

obligation but the Data Subject has the right to restrict the processing of this data strictly to KYC

requirements.

Data Subject Requests

• Data Subject Requests (not limited to access requests or DSARs) must be dealt with within 30

days

• Verification of identity will be an important first step in complying with a request – only the

Data Subject or an appropriately authorised representative can exercise their rights

• Data Subject Request Forms will be a useful tool in managing requests by prompting the

requestor to send verification documents, supply focused information about their request

(including specifics and applicable dates) and outlining restrictions and caveats to requests

made and how they will be handled.

• A log should be maintained of all requests as evidence in case a follow-up complaint is

received or made to the Supervisory Authority.

Duff & Phelps 10

Data Subject Request Form

Duff & Phelps 11

Breach Reporting

• The GDPR introduces a duty on all organisations to report certain types of personal data

breach to the relevant supervisory authority

• You must do this within 72 hours of becoming aware of the breach

• Breach notification should include the nature of the breach, when it occurred, when it was

discovered, the categories and numbers of affected data subjects and records, the likely

consequences, proposed mitigation measures and evidence of the breach and actions

taken/planned

• The strong implication is that a breach may not only trigger ICO fines, but also the FCA’s wide

range of sanctions

• Principle 11 notifications may be required

• Other regulators may be involved or request information

• Remember your audit trails

Duff & Phelps 12

When to Report a Breach?

Duff & Phelps 13

Breach

•An employee informs IT that they have left their laptop on a train

•IT inform the Data Protection team

Investigation

•The Data Protection team investigate the severity of the breach

•IT confirm the laptop is password protected and trackable

•Location services track the laptop to the train providers lost and found depot

Decision

•The Data Protection team decide not to report the breach as the laptop is recoverable and shows no evidence of tampering

•The laptop is recovered from the depot

Breach

• An employee informs IT that they have clicked on an email link from the regulator to download a pdf report but they are getting an error message when they open the download

• IT discover the email was fraudulent and clicking the link has installed ransomware

• Local and network files are encrypted until a payment is made to the hacker

Investigation

• The Data Protection Officer investigates the severity of the breach

• IT confirm that all client data including KYC verification documents are at risk

• The hacker has control of large volumes of Personal Data including Special Categories of Data

• Remediation plan includes a data rollback from the cloud service provider however some file types may not be recoverable

Decision

• The Data Protection Officer deems it necessary to report the breach to their National Supervisory Authority

• Although they are certain to recover the majority of the data they cannot guarantee that all data will be recovered or that it won’t be used by the hacker to target individuals through identity fraud

• Staff training and awareness is flagged as a priority issue as the fake email had telltale signs

Scenario 1: Lost Laptop Scenario 2: Malicious attack

LOW risk to

Data

Subjects

HIGH risk to

Data

Subjects

Post Implementation Challenges

• Legitimate interest and consent

• Impact assessments

• Assurance – how good is governance and control?

• Data mapping consent – practicalities i.e. children

• Dealing with Data Subject Access Requests (DSARs)

• Understanding and controlling data flows throughout the lifecycle of processing

• Cross border transfers of data

• Governance – appropriate framework for business size and complexity

• Balancing act – managing risk from legal obligations to collect and retain data

• Periodic cyber resilience and framework testing

• Staff training

• Audit trails are required – breaches, incidents and near misses – documenting actions

Duff & Phelps 14

Post Implementation - the Headlines

Duff & Phelps 15

Financial Times – 25 May 2018

• “if the cost of complying is significant, that speaks less to the rule than to the fact that companies

have collected and stored our data in ways that ought to make us uncomfortable.”

• “Tech start-ups, video game makers and advertising technology businesses are among several small

US companies pulling out of the EU rather than risk falling foul of the GDPR”

• “The European Data Protection Board (EDPB)… should make sure that, once the initial transition

period is over, the cost of compliance does not put small businesses at a permanent

disadvantage.”

• “Will the national DPAs have the financial muscle to take on powerful companies?

• “Rights are empty unless exercised.”

• “Companies have been flooding inboxes… this is just the most visible part of the regulations… GDPR

requires much more, pushing businesses to consider privacy in the culture of their operations and

design of their products.”

• “How GDPR is embedded in the operation of both products and the companies themselves is

harder to see from the outside”.

• “There are a lot of people who woke up at the last minute and they are asking for support.”

• “Tougher privacy rules are expected to spread to other jurisdictions. That means costs will go on

rising… The $15m-odd price tag… the average big company will spend on GDPR is likely to be just

the start.”

Duff & Phelps 16

Contradictory Words from the Regulators?

• France: companies that have not achieved full compliance “can expect to be treated leniently

initially provided that they have acted in good faith.”

• Netherlands: “no provision has been made in law for a grace period from compliance with the

GDPR,” “an organisation can minimise and mitigate against the potential consequences and

sanctions that they could face . . . with a healthy GDPR compliance programme... and a

genuine commitment and best efforts to meeting their GDPR obligations.”

• Austria: Andrea Jelinek, president of the newly formed European Data Protection Board

(EDPB), warned that “If there are reasons to warn we will warn; if there are reasons to

reprimand we will do that; and if we have reasons to fine, we are going to fine.”

• UK: Elizabeth Denham issued this statement “I’m sure many of you are prepared and ready to

go. But to small and micro-businesses, clubs and associations who are not quite there, I say …

don’t panic! Today is not the end of anything, it is the beginning, and the important thing is to

take concrete steps to implement your new responsibilities — to better protect customer data.

My office is looking forward to continuing to work with you to help.”

• European Commission: Anonymous official - "If there is a breach discovered the day after,

the GDPR will apply…I hope that every company dealing with our personal data takes the May

deadline very, very seriously."

Duff & Phelps 17

Not Really! – You must show evidence of willingness to comply

Where have Firms got to?

• Globally, less than 1% have done ‘nothing at all’

• Small and medium-sized businesses in the UK spent on average more than 600 hours to ensure compliance before 25th May

• GDPR has directly changed strategies or operations as well as affecting financial goals – perceived consequences from executives are operational disruption (38%), slower growth (28%) and slower innovation (28%)

• GDPR has triggered opportunities for more efficiency, security and privacy awareness

• Adapted approaches to information governance has shown beneficial improvements in securityand reduced risk exposure – 81% say their compliance of information has improved

• Other perceived benefits include increased customer satisfaction (36%), improved brand image (31%) and increased internal collaboration (21%)

• Global organisations moving towards one privacy standard to stay consistent across markets

• Varied approaches from household names:

– Facebook pushed opt-in privacy notices to users worldwide. European users that did not consent to the T&Cs will be stopped from using the site

– Microsoft is extending GDPR-like data subject rights to consumers globally

– The Washington Post is monetising their compliance efforts by offering tiered subscription packages including an ‘EU Premium Subscription’ that charges extra for no on-site advertising or third-party ad-tracking.

• GDPR-like privacy regulations already exist in China, South Korea, India, Singapore, Australia and Israel

• Other non-EU countries are reviewing GDPR as a model for their own privacy legislation

Duff & Phelps Statistics Source: Economist Intelligence Unit 30th May 2018 18

Gulf in GDPR Understanding and Compliance

Duff & Phelps 19

Consequences of Compliance Failure

REPUTATIONAL DAMAGE

• Failure to comply with the GDPR can impact on reputation and result in heavy losses (e.g. customers, key employees, market shares)

• The obligation to report data breaches to the National Supervisory Authority (and to Data Subjects) multiplies the possibility of a negative impact on the reputation of the firm.

COMPENSATION CLAIMS

• Any person who has suffered material or non-material damages as a result of an infringement of the GDPR can seek compensation for the damage suffered.

• The Data Subject can pursue claims in Court (in a jurisdiction of their choice) to obtain compensation.

SANCTIONS

• Sanctions are imposed by the National Supervisory Authority following investigations or claims.

They can issue or impose:

– A warning (for minor non-conformity)

– A Reprimand

– Monetary fine

– A temporary or definitive limitation including a ban on processing (this could cause a significant

interruption to business activities and potentially harm reputation)

Monetary fines can be up to €20 Million or up to 4% of the total worldwide annual turnover of the

preceding financial year (whichever is higher).

Compliance Failure: University of Greenwich

• University of Greenwich recently fined £120,000 by the ICO

• Why? A web server set up by a student for a conference in 2004 was left forgotten

• The University’s Computing and Maths School held a training conference and one of the academics involved asked a student to build a web microsite. The site included a facility for conference academics to upload documents anonymously via URL

• The server was linked to a database containing the personal data of 19,500 University staff, students, alumni, and conference attendees.

• The data also included more sensitive personal data of 3,500 people covering learning difficulties, staff sickness, food allergies, and extenuating circumstances put forward by students during their studies.

• Left forgotten, unmapped and without regular security improvements cybercriminalseventually chanced upon the susceptible server with an initial breach in 2013

• In 2016, with the help of an SQL flaw and some uploaded PHP exploits, the personal data linked to the server was breached several times and a hacker posted the data online making the breach public knowledge

• What went wrong? Nobody remembered (or had the job of) shutting this down once the conference had finished and so it sat there for years as new vulnerabilities were discovered, patches were applied, skills were improved on all sides and attacks on web servers became everyday occurrences.

Duff & Phelps Article Source: https://nakedsecurity.sophos.com 21

Individual Accountability

Duff & Phelps 22

• Of the 96 reprimands that were made publicly available in 2017 by the ICO, 11 were directly aimed

at individuals and not just the company they work for.

• These were for offences of unwarranted accessing of Personal Data and sending sensitive data to

personal email accounts without reason.

• The figures highlight a significant leap in such reprimands, since no individuals were publicly

targeted by the ICO in 2016.

• In May 2018 alone, two individuals were fined:

– One, a former recruitment consultant was fined £355 and ordered to pay £700 costs and £35

victim surcharges for illegally obtaining personal information. After handing in his notice to his

former employer, he took a total of 272 CV’s from the employer’s database

– The second was a company director who failed to comply with an Information Notice sent on 4

October 2017 to which the company failed to respond. The company was fined £1,000.00 with a

£100.00 victim surcharge. The director was fined £325.00 with a £32.00 victim surcharge and

ordered to pay costs of £364.08.

• Firms are at risk not only of fines, but also of highly negative media attention and commercial

impact.

• The FCA will also hold individuals accountable for failings in SYSC, particularly under SMCR which

is already enforced in dual regulated firms and due to be rolled out to all FCA regulated firms in the

next two years.

Latha joined Duff & Phelps in February 2016 and specialises in regulatory compliance. Currently she is leading

the GDPR services for Duff & Phelps Regulatory Consulting globally.

With over 25 years’ experience, Latha’s career spans banking, compliance, regulation and consultancy. She

has extensive global experience and skills across a broad spectrum within financial services, built through

exposure in retail, wholesale and commercial banking, operations, internal audit, project management,

compliance and regulatory supervision. As a risk and compliance professional, Latha has extensive experience

and has held senior compliance roles in several countries including in the UK.

In particular, during her time as a UK regulator, Latha gained extensive exposure to and supervisory oversight

of a broad range of businesses within large banking groups including wholesale, retail, insurance and wealth

management. In her role as Director of Compliance for the British Business Bank plc, she was responsible for

setting up the Compliance function including establishing frameworks to address a number of risks. More

recently, Latha has commented in industry press globally and produced thought leadership on the subject of

GDPR.

She is also a guest lecturer at the University of Reading, teaching at post-graduate university level on topics

covering conduct regulation in the UK.

t: +44 20 7089 0885

e:latha.balakrishnan

@duffandphelps.com

Latha Balakrishnan

Director

For more information about our global

locations and services, please visit:

www.duffandphelps.com

About Duff & Phelps

Duff & Phelps is the global advisor that protects, restores and maximizes value for clients in the areas of valuation, corporate finance, disputes

and investigations, compliance and regulatory matters, and other governance-related issues. Our clients include publicly traded and privately

held companies, law firms, government entities and investment organizations such as private equity firms and hedge funds. We also advise the

world’s leading standard-setting bodies on valuation and governance best practices. The firm’s nearly 2,500 professionals are located in over 70

offices in 20 countries around the world. For more information, visit www.duffandphelps.com.

M&A advisory, capital raising and secondary market advisory services in the United States are provided by Duff & Phelps Securities, LLC.

Member FINRA/SIPC. Pagemill Partners is a Division of Duff & Phelps Securities, LLC. M&A advisory and capital raising services in Canada are

provided by Duff & Phelps Securities Canada Ltd., a registered Exempt Market Dealer. M&A advisory, capital raising and secondary market

advisory services in the United Kingdom and across Europe are provided by Duff & Phelps Securities Ltd. (DPSL), which is authorized and

regulated by the Financial Conduct Authority. In Germany M&A advisory and capital raising services are also provided by Duff & Phelps GmbH,

which is a Tied Agent of DPSL. Valuation Advisory Services in India are provided by Duff & Phelps India Private Limited under a category 1

merchant banker license issued by the Securities and Exchange Board of India.