Governance, risk, audit and compliance (GRAC) content and service provider RiskBusiness has introduced a GDPR Equivalency Checker ahead of new EU data privacy requirements coming into effect later this month. The new tool is targeted at all financial services firms impacted by the incoming changes under the so-called Schrems II legislation that comes into effect September 27. The new requirements will place an additional compliance and administration burden on firms operating within the EU and the UK, but also firms outside of the EU that may have operations within the EU.
Following last year’s ruling which invalidated the existing EU-US Data Privacy Shield Program – which had allowed companies to transfer data between the US and EU countries – firms will shortly be expected to conduct individual assessments of each data transfer to non-EU countries in order to remain GDPR compliant. Mike Finlay, CEO, RiskBusiness says that the key issue facing firms is that although these are compliance requirements, that compliance is with data privacy regulations as opposed to traditional banking regulations. “In many organisations it’s not going to fall under the compliance function but it’s going to fall under the remit of the data privacy officer,” he adds. “The data privacy rules sit somewhere between the risk function and the compliance function in most cases.”
According to the letter of the law, Schrems II actually applies to any firm that intends to move EU citizens data to a different jurisdiction to that which they are actually operating in, Finlay adds. In capital markets, that means that any data that may reflect on an EU citizen and that could, for example, be attached to a transaction, custody record, settlement or payment instruction, would automatically fall under the jurisdiction of Schrems II.
“The issue that we’re dealing with is that, come 27 September, there is an obligation on the party that is going to transfer the data to ensure that the destination to which it is going to be transferred is deemed to be adequate or equivalent to GDPR,” says Finlay. “If they don’t perform such checks, then obviously they are in breach of GDPR and the same sort of penalties would apply in this case.” Even if they do check, the drafting of the recommendations is such that the regulators in each case ie the Information Commissioners of the relevant countries, have the right to demand from a firm that it prove that it has performed such checks. Finlay adds that that the ability to maintain an audit trail of who checked which destination, jurisdiction and when and what actions were taken if deemed not adequate is going to be a strong requirement going forward. “That’s really where this new process comes in,” he says.
The GDPR Equivalency Checker is a browser based facility that automates the assessment process to determine whether equivalency or adequacy exists for a specific jurisdiction, manages detailed checks of required measures for those jurisdictions not deemed equivalent or adequate and which produces a list of required measures to be implemented to ensure compliance. Each check performed is recorded in a timestamped audit trail to ensure visibility into the outcome of individual measures.
The challenge for firms is that requirements change can change very quickly and they will need to run an enquiry for nearly every data set that they wish to transfer to ensure that the destination country is still deemed to be adequate, says Finlay. “Also, if I’m moving data to a particular destination and it’s moving point to point, I only have to check that particular destination. If it’s going to move to a third party processor which is in a third jurisdiction, then I will now need to check both of the other two jurisdictions. Depending on how you’re transferring, how frequently you’re transferring, it does become a bit more complicated.”
Firms could attempt to manage the new requirements by putting together a spreadsheet and building up a couple of macros to check some static data tables to see if they’re equivalent or not, adds Finlay. “There are two problems with that approach,” he says. “The first is being able to maintain those records across the entire organisation in order to demonstrate the audit trails. The second is how will the firm keep modifying it as the recommendations crystallise into more definitive requirements. By adopting a commercial solution such as ours, firms can save themselves that time and effort because we’ve already invested the resources in to make sure that content and capability is available.”