Whilst data privacy and security risks remain on the risk radar for trust companies, this year's trust companies survey focussed on what were the most challenging privacy risks for companies. We asked the same question when researching the last edition of the survey, when the results showed that the participants were broadly split amongst a number of key issues. In contrast, this year's results show a notable trend towards compliance with multiple regimes as being by far and away the most significant privacy challenge facing trust companies.
What do you find most challenging about privacy compliance?
This is hardly surprising given the global focus on data privacy and the resulting number of new laws coming into force around the world. Many of these bear similarities to the UK/European regime but are not exactly the same and national concerns and interests are built in, making it challenging for multi-national organisations in particular to adopt a standard uniform approach to data privacy compliance globally. The increasing number of data localisation laws in particular creates challenges for companies looking to centralise systems and processes. It is not obvious from the survey results whether this global compliance challenge has become more of an issue over the last year, or whether the results simply reflect that other challenges, such as subject access requests have simply not materialised in the way that was previously feared. However, what is clear is that the challenge of balancing compliance obligations across multiple competing regimes is unlikely to recede anytime soon.
Data security and data retention/destruction were the next two most challenging issues facing trust companies surveyed at 14% and 11% respectively. Whilst the spectre of data breaches and cyber attacks has not receded, we can perhaps speculate that this diminishing level of concern about data security (relative to the last edition of the survey) reflects both the significant investment that many organisations have made in their IT security, coupled with a lack of significant regulatory enforcement action relating to data breaches. With respect to data retention/destruction, this is clearly continuing to be challenging for trust companies having to navigate the complexities of competing data retention requirements in myriad regulations, on top of which is layered the data privacy requirement to not keep data longer than necessary.
Perhaps most interesting is the result showing that 0% of those surveyed are concerned about privacy notices/transparency obligations. Whilst privacy notices are often just seen as an administrative tick box exercise, there are perhaps two key reasons why notices and transparency should not fall off the radar entirely:
- In Europe, we have seen significant recent enforcement action relating to transparency obligations and privacy notices – WhatsApp has been issued with a fine of EUR 225 million which it is appealing.
- Trust companies often find it challenging to provide transparent information about their personal data processing to all relevant data subjects. For example, beneficiaries who may not even be aware that they are the beneficiary of a trust and about whom trust companies may nonetheless process significant amounts of sensitive personal data.
As a result, it will be interesting to see how trust companies respond to transparency challenges over the course of this next period.
Finally, we have been considering why data privacy might be (relatively) less of a concern to trust companies since the last edition of this risk survey – it has moved down from number 5 to number 7 this time around. There could be all kinds of reasons including: the biggest fines have been handed out to large multi-national corporates and trust companies have largely been unscathed; the large data class actions have not yet got off the ground (at least in the UK); the initial excitement around the Dawson-Damer ruling has died down and trust companies have become more comfortable around how best to comply with the various regimes to which they are subject. In any event, the risks posed by handling data (and particularly sensitive personal data) are not going away.