About a-team Marketing Services
The leading knowledge platform for the financial technology industry
The leading knowledge platform for the financial technology industry

A-Team Insight Blogs

GRAC Service Provider RiskBusiness Launches GDPR Equivalency Checker

Subscribe to our newsletter

Governance, risk, audit and compliance (GRAC) content and service provider RiskBusiness has introduced a GDPR Equivalency Checker ahead of new EU data privacy requirements coming into effect later this month. The new tool is targeted at all financial services firms impacted by the incoming changes under the so-called Schrems II legislation that comes into effect September 27. The new requirements will place an additional compliance and administration burden on firms operating within the EU and the UK, but also firms outside of the EU that may have operations within the EU.

Following last year’s ruling which invalidated the existing EU-US Data Privacy Shield Program – which had allowed companies to transfer data between the US and EU countries – firms will shortly be expected to conduct individual assessments of each data transfer to non-EU countries in order to remain GDPR compliant. Mike Finlay, CEO, RiskBusiness says that the key issue facing firms is that although these are compliance requirements, that compliance is with data privacy regulations as opposed to traditional banking regulations. “In many organisations it’s not going to fall under the compliance function but it’s going to fall under the remit of the data privacy officer,” he adds. “The data privacy rules sit somewhere between the risk function and the compliance function in most cases.”

According to the letter of the law, Schrems II actually applies to any firm that intends to move EU citizens data to a different jurisdiction to that which they are actually operating in, Finlay adds. In capital markets, that means that any data that may reflect on an EU citizen and that could, for example, be attached to a transaction, custody record, settlement or payment instruction, would automatically fall under the jurisdiction of Schrems II.

“The issue that we’re dealing with is that, come 27 September, there is an obligation on the party that is going to transfer the data to ensure that the destination to which it is going to be transferred is deemed to be adequate or equivalent to GDPR,” says Finlay. “If they don’t perform such checks, then obviously they are in breach of GDPR and the same sort of penalties would apply in this case.” Even if they do check, the drafting of the recommendations is such that the regulators in each case ie the Information Commissioners of the relevant countries, have the right to demand from a firm that it prove that it has performed such checks. Finlay adds that that the ability to maintain an audit trail of who checked which destination, jurisdiction and when and what actions were taken if deemed not adequate is going to be a strong requirement going forward. “That’s really where this new process comes in,” he says.

The GDPR Equivalency Checker is a browser based facility that automates the assessment process to determine whether equivalency or adequacy exists for a specific jurisdiction, manages detailed checks of required measures for those jurisdictions not deemed equivalent or adequate and which produces a list of required measures to be implemented to ensure compliance. Each check performed is recorded in a timestamped audit trail to ensure visibility into the outcome of individual measures.

The challenge for firms is that requirements change can change very quickly and they will need to run an enquiry for nearly every data set that they wish to transfer to ensure that the destination country is still deemed to be adequate, says Finlay. “Also, if I’m moving data to a particular destination and it’s moving point to point, I only have to check that particular destination. If it’s going to move to a third party processor which is in a third jurisdiction, then I will now need to check both of the other two jurisdictions. Depending on how you’re transferring, how frequently you’re transferring, it does become a bit more complicated.”

Firms could attempt to manage the new requirements by putting together a spreadsheet and building up a couple of macros to check some static data tables to see if they’re equivalent or not, adds Finlay. “There are two problems with that approach,” he says. “The first is being able to maintain those records across the entire organisation in order to demonstrate the audit trails. The second is how will the firm keep modifying it as the recommendations crystallise into more definitive requirements. By adopting a commercial solution such as ours, firms can save themselves that time and effort because we’ve already invested the resources in to make sure that content and capability is available.”

Subscribe to our newsletter

Related content

WEBINAR

Upcoming Webinar: A practical guide to dual UK and EU regulatory reporting as the Temporary Permission Regime comes to a close

Date: 19 July 2022 Time: 10:00am ET / 3:00pm London / 4:00pm CET Duration: 50 minutes The Temporary Permission Regime (TPR) allowing capital markets participants in the European Economic Area (EEA) to continue to operate in the UK post Brexit will be withdrawn by the end of 2023, calling on firms that want to stay...

BLOG

Digital Regulatory Reporting: The Turning Point for Compliance in 2022

By Leo Labeis, CEO at REGnosys. Regulatory reporting has long been mired by ambiguous and conflicting rules but new requirements this year and an industry-wide move to greater collaboration look set to usher in much needed change. For financial institutions, the upcoming CFTC Rewrite and EMIR Refit deadlines present a timely opportunity to review their...

EVENT

RegTech Summit London (Redirected)

Now in its 4th year, the RegTech Summit in London explores how the European financial services industry can leverage technology to drive innovation, cut costs and support regulatory change.

GUIDE

Regulatory Data Handbook 2021/2022 – Ninth Edition

Welcome to the ninth edition of A-Team Group’s Regulatory Data Handbook, a publication dedicated to helping you gain a full understanding of regulations related to your organisation from the details of requirements to best practice implementation. This edition of the handbook includes a focus on regulations being rolled out to bring order and standardisation to...