It has been two years since GDPR came into force and, while the regulation has undoubtedly had some effects, it often feels reminiscent of the adage ‘the more things change, the more they stay the same’. Over the next year, however, the financial services sector will see greater changes coming to the fore.
Let’s start with the Brexit elephant in the room. While the UK has left the EU, we are still in a period of transition where all EU rules still apply. Come 31 December this year, though, it has been written into law that the UK will no longer be subject to EU regulations and law – deal or no deal.
From a data protection perspective, it will mean the UK will become a third country. This will mean nothing for any financial company processing and storing data in only the UK and which does not deal with clients or businesses in the European Economic Area (EEA).
For companies that do have dealings with Europe, however, without an ‘adequacy’ agreement for the UK, they will not be able to send data to any EEA country, including EEA cloud-based servers, without implementing additional contractual safeguards. These safeguards will need to be based on the standard contractual clauses if that data is being sent to a third party.
The big question is, then, will the UK be granted adequacy by the EU? The answer to that in the long term is probably yes, but it is looking increasingly likely that, by the time the UK leaves the EU, there will not be an adequacy decision in place.
Demonstrating compliance
Many financial companies find being accountable for data and demonstrating compliance the hardest tasks of GDPR. It is one thing thinking your organisation is compliant, quite another being able to prove it. The Information Commissioner’s Office (ICO) has taken a relatively relaxed attitude to enforcing accountability, allowing businesses the time to make changes.
It is now indicating that time is up, however, and this year the ICO is preparing to launch its accountability toolkit. It is looking to financial organisations to be able to demonstrate their data protection accountability and, in turn, for the ICO to be able to monitor this.
For businesses that do not have a formal suite of policies in place as well as ‘records of processing activities, it is going to be hard to demonstrate accountability, which in turn will make it very hard to show they are compliant, if questioned.
Data retention
Data retention is the third big issue that should be on financial business’s GDPR radar. Many financial companies think of data retention in terms of deletion – and, when talking deletion, we often start thinking we may need the data in the future, especially when it comes to emails and the data contained within them.
From a practical perspective, this can cause problems. Imagine the problem where a member of staff makes a ‘data subject access request’ and you have to go through potentially many years and hundreds of thousands of historical emails to comply. With furlough and redundancy decisions being made, these requests are becoming more regular from employees and clients.
Over the next 12 months, Covid-19 will have an increased impact on data protection. With more home working, there will be a greater emphasis on protecting the public and their rights, which in turn will create challenges for businesses to respond and meet the future demands of the public and the regulator, requiring a move toward better and more demonstrable practices.
Stuart Freeman is a data protection officer at outsourced data protection resource centre The DPO Centre, which has the largest team of fully employed data protection officers in the UK