Legal
Top Data Protection Issues Facing HNW Individuals
Often referred to as "the oil" of the modern economy, data is strikingly vulnerable to abuse as more personal information goes online and can be cross-referenced. High net worth individuals are among those with the most to lose.
In this guest feature, Caroline Rao, senior associate at UK-based law firm Harbottle & Lewis, outlines how the wealthy can control their personal data and put proper safeguards in place. High net worth individuals are particularly at risk, Rao says, not simply in protecting their own personal data and interests often across multiple jurisdictions but in their accountability for others’ data in their roles as employers, landlords, heads of charitable organisations, trusts, and so forth. Those with a public profile and large social media following will also have a personal brand with economic value to protect from potential fraudsters. Before discussing best practices around data security, Rao suggests where general policy efforts are focused for the year ahead.
This item is being published in the WealthBriefing family of newswires - including those covering Asia and North America - because the data protection issues confronting HNW people are often cross-border. Crypto-attackers don't recognise national borders, and neither should those protecting clients.
The editors of this news service are pleased to share these views but do not necessarily endorse all the ideas of contributors and invite responses. Email tom.burroughes@wealthbriefing.com.
What is on the data protection horizon for 2019?
We may expect:
1. Expansion of data protection principles to cover technology advancements
The Information Commissioner’s Office (ICO), the UK body that reports to parliament on data security issues, has identified cyber security, AI, big data and machine learning, and web and cross-tracking devices as tech priorities for the year ahead. In fact, this year’s International Data Protection Day (January 28th) coincided with the publication of the Council of Europe’s guidelines on artificial intelligence and data protection, essentially with the aim of ensuring that AI applications do not inhibit or undermine established rights to data protection or the protection of human rights.
2. Extension in the territorial scope of "protected’" data transfer
The New Year has already seen a "mutual adequacy decision" between the EU and Japan, which permits the flow of data following certain assurances and agreements that adequate safeguards are in place. Similar talks are underway with South Korea and, of course, depending on what happens with Brexit, we hope 2019 will see a similar adequacy decision in respect of UK/EU data flow.
3. A continuing rise in data breach litigation
As data protection and rights awareness grows, so will the ability to enforce those rights and claim for loss when such rights are abused. Given the scope and rate of technology development, the trend in rising litigation in this area is unlikely to reverse any time soon.
4. Greater clarity as to when and how the data protection rules apply
Judgments, published guidance, and industry best practice will hopefully assist in ending confusion arising from scenarios that do not fit squarely within the GDPR/DPA framework, such as lay trustees’ and executors’ duties and obligations in respect of holding personal data.
Common risks for HNWIs
HNW individuals are particularly vulnerable to data protection risk because they typically wear more than one hat. For example, some are employers (domestically and commercially), landlords, company directors, company shareholders, heads of charitable organisations or societies, owners of cars, boats, aircraft or properties, settlors of trusts or trust beneficiaries.
They may be subject to data protection obligations as data controllers and failure to comply may result in fines – a failure to protect personal data of employees or tenants, for example, may result in data breach litigation.
HNWIs are likely to have an international footprint so the transfer of data between countries and the interaction of the data protection and privacy laws in other countries (particularly those outside territory governed by GDPR or adequacy decisions) should be taken into account to ensure both compliance and protection of data.
They may also have a public profile or extensive social media following and in some cases their reputation or "personal brand" has significant economic value. An HNW individual may wish to protect their brand by enforcing their rights to correct or delete personal data, as well as ensuring the secure retention of data with a view to controlling the dissemination of certain information.
Managing and enforcing one’s rights in respect of personal data is also relevant where there may be inaccurate or misleading information in the public domain that adversely affects an individual’s (or an individual’s company’s) credit rating or client acceptance applications for AML compliance purposes.
The sheer magnitude of publicly available personal data for certain HNW individuals (from social media, companies house, HM Land Registry, business websites, news and internet) will provide a very detailed profile of an individual, which can be used to obtain further personal data by unscrupulous means (for example phishing and blagging). Not only will blagged personal data have a significant resale value, the nature of that personal data is likely to allude to the availability of deep pockets – leaving people vulnerable to threats such as blackmail, fraud, or simply loss arising from the sale of their private or personal data.
Trustees are slowly waking up to their data protection responsibilities and people may find that their trust structures are not as robustly confidential as first thought.
Mitigating the risks in 2019
Knowledge and training
Knowledge is power - this is certainly true in the digital age where rapid technological advances expand the ways in which data is gathered and exploited, often ahead of regulation and legislation. Not only does an individual need to be well informed as to their obligations and rights in respect of data protection, they need sufficient understanding of new technologies and applications to ascertain how/when/where their personal data might be acquired by whom and for what purpose in order to be able to enforce their rights.
Audit
Individuals who determine that they may be a data controller should familiarise themselves with their data protection obligations and may wish to carry out an audit to determine the types of personal data that they may be responsible for, including what/whose personal data you hold, whether you have the right to hold it and how you hold or use it.
You also need to consider what personal data of yours is held by others, whether they need to retain/use it, how they use it, whether it is secure and whether you should request its deletion.
Security
HNW individuals should review all their security settings, for example, for social media accounts, communications systems, and all devices, just like any other individual. Depending on the complexity of the HNW individual's circumstances, they may wish to engage specialist cyber security advisers to undertake a thorough review, and/or recommend security protocols, which should be updated regularly.
The definition of personal data is extremely wide and the generation of personal data relating to each individual is constant, so it follows that the use of personal data will continue to dominate every aspect of our lives. Coupled with the significant value of personal data (both emotional and economic), time spent educating ourselves, taking specialist advice where necessary and protecting our personal data (or mitigating risks to it) will be increasingly vital, and with the likes of the Council of Europe, the EU, and the ICO promoting awareness on occasions such as the International Data Protection Day, we can build on our knowledge of developments in this sector to do so.
Caroline Rao specialises in multi-jurisdictional structuring and cross-border issues. She advises ultra-high net worth and international high net worth individuals and families, their family offices and trustees/fiduciaries based all over the world. She has advised clients in relation to a diverse range of asset classes, including real estate, financial portfolios, trading and investment companies, art collections, aircraft and yachts.