Regulatory change in 2018 is here, and it is BIG! As new technology continues to develop rapidly, how can legal and compliance practitioners stay in control? It could be said that commercial data proliferation and the resultant need for updated handling strategies to support effective compliance and governance, is the catalyst for EU regulatory changes. With new rules taking time to come into effect, technology will continue to advance at great speed. Smart businesses are dealing with legacy compliance issues in addition to creating new strategies, policies, playbooks, and processes to update their compliance and information governance strategy. Many are struggling with where to start.
So, what are these new regulations addressing?
The 1995 EU Data Protection Regulation, now over 20 years old, became steadily outdated as technological advances created obstacles to data privacy and protection for EU residents. Initialised in 2012, the EU General Data Protection Regulation (GDPR) has undergone some stringent testing and strong opposition from EU lobbyists, 75% of whom are corporations such as Google, who attended 29 European Commission meetings in 2015 alone and spend an average £2.9m per year in support (source link here). Headlines such as “EU Fines Facebook Over $122m Disclosures in WhatsApp Deal” in May 2017 make the degree of lobbying activity very apparent. These large ‘data’ conglomerates have much to protect in terms of profit and wealth expansion.
Similarly, the new Senior Managers and Certification (SMC) will replace the Approved Persons regime regulated by the FCA since March 2016 to banks. The new responsibilities are more stringent as they perform the Significant Influence Functions (SIFs) carried out by those closely involved in the banking, insurance, and investment industries.
All of these forthcoming regulations seek to improve accountability, transparency, and protection. They also have one single, common, and usually risk-imposing denominator - data. Effective accountability and transparency at the corporate and personal level will certainly involve data. And, as we all know, data has become seemingly inexhaustible, varied, fragile, and unprotected from attack and abuse.
The devil is in the detail.
Happily, proactive strategising is becoming the norm around managing risk. However, we are still often engaged in moments of crisis. Typically, a crisis will occur when, for example, a regulator has requested information within a timeframe or under a formal regulatory notice (such as a S.166) and there is need to identify, extract, and process data for review in order to generate the timely and accurate response.
In anticipation of GDPR, emphasis is on assisting with issues such as how to deploy profiling activities. In the context of big data analytics, how and where is explicit consent of subjects found in large and disparate data sets? How do IP addresses, genetic data, data from cookies affect profiling activities?
When asked questions like - i) where is your data held? ii) who is responsible for the data? iii) can you remove it? iv) who has access? v) do you have consent to use that data? vi) what types of personally identifiable information do you have on file? - most businesses simply do not know or have a hybrid response which is not always thorough enough and can leave them exposed to risk.
The financial risk of not knowing the answers to these questions, especially under GDPR, is well publicised and high, aside from the valuable time and effort absorbed from day-to-day activities.
How to stay in control?
The importance of data and information governance has become critical, and it should not be underestimated. Legal and compliance validation for corporate cultural and policy success can be achieved with the use of technology, to identify data types and categories, as well as repeatable, best practice testing processes.
In cooperation with legal, compliance, and internal IT, this work should be proactively included as part of managing business risk and incorporated into a regulatory readiness strategy. Responding to issues in a reactionary fashion can often reveal the tip of the iceberg and result in much bigger costs and higher risk. Keep a couple key points in mind:
- It is not just about technology. A bit like when buying a new TV and searching Google for the right product to meet your needs, you are presented with the vast variety on the market. They all function relatively the same with a few variations in quality. Similarly, there are many technology solutions to choose from and most of them will do the job. But, don’t rely on the technology alone. Third-party providers can bring additional experience and expertise to the table, and can work in collaboration with in-house teams to find the best solution.
- The people are as important as the technology. Find the right people who understand your business to help avoid wasted time, budget, or resources on the wrong technology or technology that only takes you so far. The benefits are far wider than preparedness for new regulations. Vigilance, validation, and dashboard reporting to the board is achievable across many aspects of the business when data is your key informant. This is where true value can be derived from a key asset.