Given the 25 May go-live date, financial institutions in Asia need to immediately consider their obligations under GDPR, which will apply to any firm with clients or employees who are EU citizens.
There are many great misconceptions in the world:
- You can see the Great Wall of China from outer space (you cannot)
- Tomatoes are a vegetable (they are a fruit)
- Frankenstein was the name of the monster in Mary Shelley’s book ‘Frankenstein’ (Frankenstein was the name of the monster’s creator)
The most recent one – which we have heard frequently on our visits to financial institutions in Asia – is that the EU General Data Protection Regulation (“GDPR”) does not apply to companies in the region. Like the examples above, this is incorrect, as GDPR is a global regulation. It is also a monster, much like Frankenstein’s creation. Given the 25 May 2018 go-live date for GDPR, it is something which needs to be considered immediately.
When considering GDPR, firms should start by asking three simple questions:
- Do you have any clients that are EU citizens? If the answer is yes, then you are responsible for GDPR compliance, as EU citizens anywhere in the world are covered by the regulation, even if they are living in Asia.
- Are you marketing or selling financial products or services into the EU? If the answer is yes, then you are responsible for GDPR compliance.
- Do you have employees that are EU citizens? If the answer is yes, then you are responsible for GDPR compliance, as employees are covered in the same manner as clients.
What are the consequences for GDPR noncompliance?
Fines – Firms can be fined for violating GDPR, and the fines are significant. Fines under the regulation can be up to EUR 20 million, or 4 percent of global turnover, whichever is greater. To the extent that a subsidiary experiences a GDPR breach, the fine is calculated on the global turnover of the parent company, not the subsidiary itself. The numbers can get very large, very quickly.
Class Action Lawsuits – Under GDPR, if firms violate the terms of the regulation, impacted clients can band together to file US-style class action lawsuits. Individuals may be awarded damages for “mental anguish” if the terms of the regulation are not followed.
Reputational Risk – In addition to monetary penalties, another major impact of GDPR is the reputational risk associated with breaching the regulation. As an example, firms may be required to notify all impacted clients within 72 hours of experiencing a data breach. Historical research into data breaches consistently illustrates that more than 60 percent of the clients of a financial services firm will look for a new service provider if their trust has been violated by the loss of theft of their personal data. If a firm loses a significant portion of its client base, then the troubles it experiences will be much greater and longer lasting than fines or lawsuits.
Valuation – The financial markets have now woken up to the impact of data breaches on a company. When Equifax suffered a data breach last year, it wiped out USD 2.3 billion of market capitalisation from the company, its CEO stepped down, and senior management did not receive their bonuses. A more extreme example was seen with respect to the Cambridge Analytica incident, following which Facebook’s valuation dropped by USD 60 billion.
Is there anything else firms in Asia need to be aware of regarding GDPR?
GDPR has introduced the concept of a “Controller / Processor Relationship”. This will have a significant impact on financial institutions and other firms going forward. A “Controller” under the regulation is a firm that is the custodian of clients’ and employees’ personal information. To the extent that they share that information with a third-party Processor (for example, a FinTech, SaaS provider, Cloud provider, or any other third party) and that party is either breached or loses the data, then both the Controller and the Processor are liable for fines under the regulation.
How can a firm protect itself from the GDPR monster?
The way to defeat Frankenstein’s monster was with fire, as he was afraid of it. Addressing GDPR will take a lot more than fire. Firms should consider the following:
Protect your data – The GDPR “best efforts” clause states that you should protect your data at rest, in transit and in memory through encryption or tokenization. The challenge with this is that it is difficult for employees to do their jobs if data access is always restricted. Therefore, firms should implement a sophisticated key management system which grants access to the right data to the right person at the right time.
Track who views data – GDPR allows individuals to submit subject access requests. Firms must be able to demonstrate who within a firm has viewed an individual’s data, why, and where it was shared with a third party. It is important to have a simple and easy way to track this.
Be wary of the Cloud – As discussed above, there is a Controller / Processor relationship that needs to be addressed. Firms should investigate how robust data privacy controls are for the third parties they share sensitive data with. People think that the Cloud is safe, but the Cloud is simply someone else’s computer or server. Firms need to evaluate how comfortable they are with the controls around third party Cloud services, and whether internal data protection policies can be enforced outside of their firewalls.
Cross Border Data Transfers. GDPR requires consent for all transfers of data outside of the EU, similar to China’s Cybersecurity Law which states that personal information for mainland China residents must not leave the country. Firms need to have system-wide controls in place for this. We view the regulation around Cross Border Data Transfers to be as big of a regulatory issue going forward as GDPR is now, which will be expanded on in future articles.
GDPR, like Frankenstein’s creation, is a monster. However, the right controls can be the equivalent of fire in keeping the regulation in check. To succeed in the post-GDPR environment, firms need to consider a data strategy which can sit on top of existing legacy systems and architecture. Firms need to consider how they can protect data attributes themselves, as opposed to placing controls on every single application, API, and microservice. Lastly, firms need to consider how they can use technology to implement data policies. All of these are quickly and easily do-able with the right solution.
Peter Lancos and Sonal Rattan are co-founders at Exate Technology, which provides a data middleware solution to protect sensitive data and ensure GDPR compliance.