| Asia | News coverage
Financial institutions in Asia seek to understand the impact of GDPR
With the General Data Protection Regulation (GDPR) set to take effect today, financial institutions are getting into a state of readiness to ensure there are no breaches, given the extra-territorial impact of the regulation.
The extra-territoriality of GDPR outside the EU was initially underestimated by many financial institutions in Asia, much in the same way they did with the Markets in Financial Instruments Directive (MiFID II). The long-arm reach of GDPR is underpinned largely by three basic rules, consultants said.
The digital economy in which we live today underscores the importance for personal data to be protected. The size of China’s digital economy, for instance, is 39 percent of its GDP and still increasing. While the digital economy in Europe makes up a much smaller portion of the EU total economy, EU regulators have blazed a trail with such an extensive regulation as the GDPR, said David Copland, Managing Consultant at Bovill Singapore.
“That is why all jurisdictional privacy bodies have good reasons for personal data to be protected in a digital context, and to give rights to individuals to control their personal data,” he said.
Chris Lim, advisory partner at EY in Singapore, said GDPR is moving along with the latest trend, which is the adoption of technology to do business, including the use of financial technology (fintech).
“This means that traditional models of operation are changing and the traditional data regime needs to evolve to stay relevant and to regulate. GDPR is taking the first step toward that,” he said.
Three basic rules
According to Copland, a company located in Asia that processes EU personal data of an associated establishment in the EU are subject to GDPR. That being a primary rule, he said.
The second rule talks about companies or financial institutions which intend to sell goods and services to EU subjects. This could be evidenced by the use of EU languages or currencies, which are clear indications of their intent to target EU subjects. Such companies are subject to GDPR, Copland said. Financial institutions marketing newsletters and financial products will most likely also come under GDPR, he added.
The third rule covers scenarios in which companies, including financial institutions, intend to monitor individuals, as seen in the case of Cambridge Analytics which profiled 50 million Facebook users for the purpose of the United States election. Such companies will also be subject to GDPR, Copland said.
Four concepts under GDPR
Fundamental to GDPR are four concepts with which every company, including financial institutions dealing with EU residents need to be familiar, according to Copland. These are data controllers, data processors, personal data, and data subjects which refer to the persons subject to personal data protection.
“The whole of GDPR refers to the four concepts. There are some clear rules but there are nuances that need to be walked through. For example, EU residents providing personal data outside the EU, third-parties in Asia may be processing EU data for another processor outside the EU, in which case some impact could occur. Action could be taken by the EU privacy bodies using GDPR law on the outsourcing company based in Asia,” he said.
Various rights of data subjects
GDPR states that EU data subjects have the right to know what their personal data is used for, when, where and for how long, Copland said.
The rights of EU data subjects include the right of access; the right of rectification (for example, when there is a mistake in the data subject’s data, the data subject has the right to ask for his or her data to be rectified); the right to be informed; the right to restrict data usage; the right to object how the EU data subject’s data is being used; the right to be erased from a particular database; and the right of data portability.
The right to be informed requires a company processing EU subject data to inform that individual and give the individual the right to withdraw their data. It is about the firm giving the right back to individuals.
The right to restrict data usage covers scenarios where, for example, an EU subject does not want to receive a newsletter from a company and wants to restrict that. The right to object enables individuals to object to their data being used for a particular purpose such as profiling. If data subjects want to exercise their right to be forgotten, this may pose a challenge because the data may have been archived for a long time and is hard to locate, Copland said.
Financial institutions in Asia have to execute these rights if GDPR is applicable to them and if they process EU personal data on behalf of EU-based customers, according to Copland.
Raising fundamental questions
Lim said some fundamental questions need to be raised to determine how financial institutions in Asia will be caught by GDPR. These include: what data they have, where the data is stored, how the data is managed and who owns the data.
“GDPR provides clarity on these aspects which the other personal data privacy regulations don’t. For example, there are more strict controls on an organization’s ability to process sensitive personal data [under GDPR], which not all data regime has. It is a good example of GDPR moving the maturity curve, ” he said.
As much as they are concerned about the complexity of complying with GDPR requirements and the compliance cost involved, some financial institutions in Singapore have questioned why they have not been required to do some of the things set out in the GDPR, according to Lim.
“Some financial institutions recognised operational challenges exist, such as ownership of data which is always challenging within financial institutions, and especially in cross-border related scenarios,” he said.
Understanding the current state of compliance with GDPR
If GDPR is applicable, financial institutions need to understand their current state of compliance with the regulation, and that requires looking into a few areas, Lim said. These include whether existing policies meet GDPR requirements; whether financial institutions’ governance models meet GDPR requirements; ownership of data; whether a data protection officer has been appointed; and reviewing consent forms and making changes if required.
“GDPR requires explicit client consent for banks to obtain and process data from customers. Financial institutions also need to look into how to manage consent for non-traditional channels such as online, digital and mobile phone. Consent is important because it is the right that EU customers enjoy, ” he said.
Complying with GDPR will also require financial institutions to understand the lifecycle of data, Lim said. He gave an example where processing of EU data takes place in a head office or by a third-party that is outside the EU. In such an instance, the third-party’s role as a processor or controller dealing EU data will likely be caught under GDPR.
Real risk: data security
Contrary to the market’s belief, the main crux of the matter with GDPR is not about doing privacy notifications or complying with GDPR via policies and procedures, which Copland said, are not the most essential aspects.
“The real risk is the security of data in general, and the essential thing is to reduce security risk by cyber security measures in order to protect data,” he said.
Copland pointed to Singapore where there are more regulations on cyber security than any other jurisdictions, and those regulations include some requirements similar to GDPR on personal data which must be complied with.
“Everything to do with cyber security is important, [especially] to meet security regulation compliance and GDPR,” he said.
Fines and reputational risk
When a data breach happens, GDPR mandates a 72-hour notification to the jurisdiction of the particular EU person whose data was misused. Fines of either 20 million euros or 4 percent of the revenue, whichever is the higher, will be imposed.
“Financial penalty aside, a personal data breach can lead to embarrassment and reputational risk, which [in turn] can lead to loss of business and customers. What people should worry about is reputational risk,” Copland said.
Lim said, however, that the first priority of GDPR was to ensure compliance rather than imposing fines.
“GDPR regulators would want to ensure adoption, awareness and application of GDPR. Fines may discourage financial institutions in Asia from doing business in the EU,” he said.
May 25, 2018 Patricia Lee, Regulatory Intelligence
Patricia Lee is chief correspondent, banking and securities regulation, Asia
Copyright © Thomson Reuters 2018. All rights reserved.
