Keeping an eye out for what people are getting fined for will be a large part of year two of GDPR compliance, according to Renata Hoes, Chief Compliance Officer and Data Protection Officer at Generali Investments Luxembourg.
It hardly feels possible that GDPR has been in action for over a year. When the deadline struck on 25 May 2018, the media, boardrooms and houses were full of whispers and discussions on how earth-shattering the regulation was going to be. Uncertainties rose around the magnitude of the task ahead – making sure all their data could be found and secured and how they would cope with an endless conveyer belt of information requests. In the end, a lot of the fear was misplaced, and fines were not being thrown out left, right and centre. The regulation has since slipped out of the media’s crosshairs but entering the second year of compliance is going to offer new challenges and the chance of more fines.
One of the biggest topics when the regulation was being implemented was regarding fines. Concerns had been raised around regulators deploying day-one fines for any company who did not have their GDPR systems up and ready. This was not the case.
Renata Hoes said, “Certainly here in Luxembourg, the feedback that we received at the beginning from the CNPD (Data Protection Regulator in Luxembourg) was they’re not there to start fining you right away. Instead they will be coming in to check what you’ve done, what you’ve put in place and how you have implemented the directive. They want to see that it’s working and receive notifications if there’s been a data breach. They are not here to start fining yet. They want to give us a chance to put everything in place and perhaps in a year or two, I would expect them to look at starting to fine people if there are major data breaches.”
It is not a regulator’s primary job to go around finding failures and uncover a company that is not compliant. Predominantly, they are there to offer protection to companies, consumers and the ecosystem. There is little sense to be fining straight out the gate, when instead, they can offer guidance and support so companies can meet compliance as soon as they can. Obviously, there are limitations, a company cannot take five years to implement the infrastructure, but there needs to be some time for the system to work out its kinks.
Instead of the regulator coming down hard from the get-go, Renata believes the first ones to look for compliance issues are internal controls. Compliance officers will be the ones initially looking at how the processes are working internally, whether it’s through an internal or external audit, exploring whether procedures are in place, if a register ready, how are data breaches handled, and if anything has been reported.
She added, “In Luxembourg, the regulator for data protection is quite small and by the time they start visiting, they’ll start with the larger entities. I really think they are also relying on the internal control functions to do that audit first and to make sure they are covering all the elements that need to be in place. And from there, I think slowly we will see some fines, depending on the type of reports that the regulator is receiving.”
As we enter the second year of compliance, there is likely to be a trickle of fines entering the market. These should be acknowledged and monitored by all companies with GDPR processes, Renata said. Examining what the causes of a fine or a data breach will help compliance teams take a step back and look critically at their own systems and identify whether they have similar issues or potential vulnerabilities. “I think that’s probably one of the things that we’re going to be looking out for to see what is going on in the markets and how things are being handled.”
Aside from monitoring other players in the market, one of the top priorities for year two of GDPR compliance should be the ironing out of interpretations. It is a fairly open regulation and companies can end up with different definitions on what constitutes as a data breach or how a procedure needs to be conducted or what needs to be reported. This needs to change, Renata said, there should be one unified understanding across all sectors.
“Working groups that have been existing for some time will change now that the GDPR has been implemented. They will start to look at real life cases and how we deal with a difference of opinion or a difference in interpretation of a regulation that we’ve implemented. I think now it’s really starting to look at how we’re going to work with our third parties when there is a discrepancy between the interpretation and looking at the frequently asked questions that are going to come out or are out already. We shall work with our counterparties to ensure that we have a similar approach to data protection and that everyone is aligned.”
It’s not just about getting individual sectors on the same page, but the whole ecosystem, she said. A focus going forward should be making sure the investment, banking, and insurance industries are not working in silos, but instead realise the directive is applicable to everyone and there is only one way the regulation can be interpreted.
At the EU level or through ESMA, there are often Q&A’s available on the differing regulations and these are the best way to get people on the same page. Cloud technology is one of the main causes for differing opinions on GDPR compliance and more Q&As would help relieve some of the confusion. The technology stack seems to have this thick mist around it, which some people cannot understand and see how it works. The data can be stored anywhere, in databases in the US, India, UK, etc. and it is hard to know where. All of this data still needs to be managed and yet some false interpretations seem to say it does not.
Making it harder for companies meeting the GDPR compliance and coming to the same interpretations is the fact many institutions already had procedures for data protection. Now they have had to adapt their systems and make it fit with the new law. Renata said, the regulation has been hugely beneficial in making sure firms have an accurate understanding of where information is being stored, but there have been a lot of added processes and more onerous obligations on compliance teams. While there has been more transparency in the space, there has not been much else different. Firms already had data protection rules, and anyone could make a complaint about data protection to the regulator if necessary, she added.
The global RegTech space has received significant interest from investors since 2014, with over $10.9bn having been invested during 2014 and 2018, RegTech Analyst data shows. GDPR has worked its way up to become the third most funded regulation during this period, responsible for $1.7bn (15.7 per cent) of this total. It only falls behind KYC and AML providers which raised $3.5bn and $2.8bn, respectively. The level of capital raised by GDPR developers is even more remarkable by the fact it was only adopted in 2016.
Copyright © 2018 RegTech Analyst