About a-team Marketing Services
The knowledge platform for the financial technology industry
The knowledge platform for the financial technology industry

A-Team Insight Blogs

GRAC Service Provider RiskBusiness Launches GDPR Equivalency Checker

Subscribe to our newsletter

Governance, risk, audit and compliance (GRAC) content and service provider RiskBusiness has introduced a GDPR Equivalency Checker ahead of new EU data privacy requirements coming into effect later this month. The new tool is targeted at all financial services firms impacted by the incoming changes under the so-called Schrems II legislation that comes into effect September 27. The new requirements will place an additional compliance and administration burden on firms operating within the EU and the UK, but also firms outside of the EU that may have operations within the EU.

Following last year’s ruling which invalidated the existing EU-US Data Privacy Shield Program – which had allowed companies to transfer data between the US and EU countries – firms will shortly be expected to conduct individual assessments of each data transfer to non-EU countries in order to remain GDPR compliant. Mike Finlay, CEO, RiskBusiness says that the key issue facing firms is that although these are compliance requirements, that compliance is with data privacy regulations as opposed to traditional banking regulations. “In many organisations it’s not going to fall under the compliance function but it’s going to fall under the remit of the data privacy officer,” he adds. “The data privacy rules sit somewhere between the risk function and the compliance function in most cases.”

According to the letter of the law, Schrems II actually applies to any firm that intends to move EU citizens data to a different jurisdiction to that which they are actually operating in, Finlay adds. In capital markets, that means that any data that may reflect on an EU citizen and that could, for example, be attached to a transaction, custody record, settlement or payment instruction, would automatically fall under the jurisdiction of Schrems II.

“The issue that we’re dealing with is that, come 27 September, there is an obligation on the party that is going to transfer the data to ensure that the destination to which it is going to be transferred is deemed to be adequate or equivalent to GDPR,” says Finlay. “If they don’t perform such checks, then obviously they are in breach of GDPR and the same sort of penalties would apply in this case.” Even if they do check, the drafting of the recommendations is such that the regulators in each case ie the Information Commissioners of the relevant countries, have the right to demand from a firm that it prove that it has performed such checks. Finlay adds that that the ability to maintain an audit trail of who checked which destination, jurisdiction and when and what actions were taken if deemed not adequate is going to be a strong requirement going forward. “That’s really where this new process comes in,” he says.

The GDPR Equivalency Checker is a browser based facility that automates the assessment process to determine whether equivalency or adequacy exists for a specific jurisdiction, manages detailed checks of required measures for those jurisdictions not deemed equivalent or adequate and which produces a list of required measures to be implemented to ensure compliance. Each check performed is recorded in a timestamped audit trail to ensure visibility into the outcome of individual measures.

The challenge for firms is that requirements change can change very quickly and they will need to run an enquiry for nearly every data set that they wish to transfer to ensure that the destination country is still deemed to be adequate, says Finlay. “Also, if I’m moving data to a particular destination and it’s moving point to point, I only have to check that particular destination. If it’s going to move to a third party processor which is in a third jurisdiction, then I will now need to check both of the other two jurisdictions. Depending on how you’re transferring, how frequently you’re transferring, it does become a bit more complicated.”

Firms could attempt to manage the new requirements by putting together a spreadsheet and building up a couple of macros to check some static data tables to see if they’re equivalent or not, adds Finlay. “There are two problems with that approach,” he says. “The first is being able to maintain those records across the entire organisation in order to demonstrate the audit trails. The second is how will the firm keep modifying it as the recommendations crystallise into more definitive requirements. By adopting a commercial solution such as ours, firms can save themselves that time and effort because we’ve already invested the resources in to make sure that content and capability is available.”

Subscribe to our newsletter

Related content

WEBINAR

Upcoming Webinar: GenAI and LLM case studies for Surveillance, Screening and Scanning

12 November 2025 11:00am ET | 3:00pm London | 4:00pm CET Duration: 50 Minutes As Generative AI (GenAI) and Large Language Models (LLMs) move from pilot to production, compliance, surveillance, and screening functions are seeing tangible results – and new risks. From trade surveillance to adverse media screening to policy and regulatory scanning, GenAI and...

BLOG

ESMA Post-Refit Data Quality Report 2024 (EMIR-SFTR-MiFIR) Improvements and Ongoing Challenges for 2025

The European Securities and Markets Authority (ESMA) recently published its fifth annual report on the Quality and Use of Data for 2024 (the Report), reflecting significant progress in the regulatory community’s approach to data management and utilization. This comprehensive assessment is pivotal as it outlines both the advancements made in the quality of regulatory data...

EVENT

AI in Capital Markets Summit New York

The AI in Capital Markets Summit will explore current and emerging trends in AI, the potential of Generative AI and LLMs and how AI can be applied for efficiencies and business value across a number of use cases, in the front and back office of financial institutions. The agenda will explore the risks and challenges of adopting AI and the foundational technologies and data management capabilities that underpin successful deployment.

GUIDE

The DORA Implementation Playbook: A Practitioner’s Guide to Demonstrating Resilience Beyond the Deadline

The Digital Operational Resilience Act (DORA) has fundamentally reshaped the European Union’s financial regulatory landscape, with its full application beginning on January 17, 2025. This regulation goes beyond traditional risk management, explicitly acknowledging that digital incidents can threaten the stability of the entire financial system. As the deadline has passed, the focus is now shifting...