Strategy
De-Risk Your Business Through Regulatory Resilience
The author of this article argues that when handled correctly, data privacy is not just about complying with regulations, but it also gives firms – such as wealth managers – a competitive edge.
In an industry such as wealth management and particularly, private banking, “privacy” is a key term and not a quality to be dismissed lightly. Of course, in this day of calls for more transparency – such as over beneficial ownership – striking the balance is hard. What is clear is that in an age of cybersecurity threats, including dangers of breaches and leaks from insiders as well as hostile outsiders, data protection is important. The rise of artificial intelligence adds new threats to the mix – but also new potential defences.
In this article, from Paul Mountford, chief executive of US-based data security firm Protegrity, talks about how firms can reduce risks in an age of relentless regulatory change in the US, Europe, and elsewhere. The editors are pleased to share these views; the usual editorial disclaimers apply. Jump into the debate! Email tom.burroughes@wealthbriefing.com
Transatlantic data flows underpin more than $7 trillion in cross-border trade and investment per annum, according to the US Department of Commerce. The recently-announced EU-US Data Privacy Framework (TADPF), in place as of 10 July 2023, is expected to increase opportunity and economic fruitfulness on both sides of the Atlantic.
However, many are rightly questioning the staying power of this latest version of the TADPF. Will it be third-time lucky or Groundhog Day all over again? Against this backdrop of uncertainty, many companies must evaluate their short- and long-term regulatory resilience.
Framework inadequacy
For those less familiar, TADPF is a legal framework for data
transfers that helps businesses comply with both EU and US data
privacy laws. The TADPF, which is the successor to the
Privacy Shield and Safe Harbor agreements, offers a legal basis
for securely transferring data from the EU to the US. The TADPF
is intended to limit access by US intelligence services and
guarantee the protection of EU citizens' personal data.
The TADPF is similar in substance to the Privacy Shield agreement that Schrems II [i] nullified. According to Gartner, this new framework will only last two to five years; in fact, this third attempt to get a stable agreement on EU-US data transfers is likely to be back at the Court of Justice (CJEU) before the end of the year. Shrems has already announced further legal challenges, and a plethora of other privacy groups and activists are likely to follow. As a result, it may be a just matter of months before a filing against the first companies to execute a transfer under this framework is made.
For businesses it is clear – a decision to solely rely on the new framework for transatlantic data flows, given the TADPF’s expected shelf life and the challenges it faces, leaves a high level of uncertainty, instability and risk.
Growing regulatory requirements
Today data borders and regulations are being constantly
strengthened in a drive to protect customer privacy and fight
global cyber crime. These good intentions, however, are evolving
into what could fairly be called data nationalism. As the
regulatory landscape for privacy becomes increasingly volatile
and fragmented, business risk – being out of compliance
and subject to significant penalties – grows
accordingly, absent regulatory resilience.
For the C-suite this presents a significant challenge. By law, cyber-risk is a board-level conversation because company performance in this area will impact shareholder value, customer confidence, and risk profile. Equally, an inability to demonstrate privacy compliance creates short-term investment challenges including higher insurance premiums, cash reserves requirements for penalties, and higher costs of compliance. In the long term, it impacts revenue and growth as companies are forced to pay higher costs to participate, or even exit markets entirely.
For data and technology leaders, today’s challenge is to comply with local regulations while respecting customer expectations and managing complex global supply chains. But localisation of data is a problem that must be solved. To meet these macro and microeconomic challenges, organisations should look for borderless data systems that enable global business operations, to ensure compliance and also meet local demands.
Adapting to privacy laws around the world
GDPR has given rise to new privacy laws around the world, and
subsequently the United Nations Conference on Trade and
Development (UNCTAD) reports that 71 per cent of countries have
data protection regulations in place and 9 per cent have
legislation in development
(https://unctad.org/page/data-protection-and-privacy-legislation-worldwide).
This is creating pressure with real-world consequences for global businesses. We only need to look at the recent issues faced by Meta, the parent company of Facebook, WhatsApp and Instagram. In May 2023, Meta was fined a heart-stopping €1.2 billion ($1.3 billion) by EU regulators for breaching data protection law when handling EU citizens' data via its Facebook service.
Meta was fined because they relied on Standard Contractual Clauses to achieve compliance for moving EU citizen data to the US for processing. However, regulators have now said that SCCs are not compliant with the GDPR, meaning that their current toolset commonly used by multinationals will no longer solve the data localisation challenge. Furthermore, privacy will only continue to evolve, becoming more complicated tomorrow than it is today.
Pseudonymisation is the solution
Pseudonymisation is an effective way to comply with the EU's GDPR
demands for secure data storage of personal information. Recently
the EU Court of Justice ruled that pseudonymised data transmitted
to a data recipient is not considered personal data if the
recipient does not have the means to re-identify the data
subject. Therefore, pseudonymisation is a foundational technique
to mitigate data protection risks. It plays a valuable role in
helping organisations to address the challenges of data
protection, security and privacy.
Pseudonymisation, which is now accepted by legal bodies as a method for protecting PII data, provides companies with the regulatory resilience they need to underpin compliance.
Regulatory resilience creates competitive
advantage
When done correctly, data privacy delivers not just compliance,
but also competitive advantage. Without a doubt, businesses that
can accelerate the free flow of data and the adoption of new
technologies will be market disruptors. They will innovate
faster, enter new markets and nimbly deliver new sources of
revenue.
Ultimately, borderless data accelerates business by de-risking
the data that drives sustainability, profitability, and growth,
connecting and creating new value for organisations, partner
ecosystems, and the entire supply chain.
Footnote:
[i] Schrems II is a ruling from the Court of Justice of the
European Union (CJEU) which found that the EU-US Privacy Shield
framework is an insufficient mechanism to ensure compliance with
EU data protection requirements.