As part of our recent trust companies survey, we asked the participating trust companies what data privacy issues pose the greatest challenges to their business.
Privacy as a business challenge
Interestingly, out of those surveyed, and despite the high profile implementation of GDPR in 2018, CCPA in 2020, and multiple other data privacy laws around the world in recent years, compliance with data protection legislation only ranked fifth with the participants out of seven key issues posing the greatest challenge to trust businesses.
At first blush, this appears to contradict many FTSE 100 and similar lists of major international companies, who often cite data protection and cyber security risk as the two key risks to their business. The results also seem at odds with an industry usually in possession of large quantities of personal data, often including ‘sensitive’ personal data.
The survey itself did not delve into the reasons for this classification of data protection risk amongst participants and it is therefore left for us to speculate about this apparent difference in approach to data protection regulation. Upon reflection, there could be a number of reasons behind this potentially surprising result:
- The geographical location of the trust companies surveyed – the vast majority of the companies surveyed were located outside of the EU and the immediate reach of major data protection regimes such as the GDPR. Whilst the GDPR has extra-territorial reach in certain circumstances, its immediate effect is undoubtedly felt to a lesser extent outside of Europe.
- Privacy fatigue – in the short term aftermath of GDPR implementation, it is fair to say that many organisations are suffering ‘privacy fatigue’ having spent significant time and expense dealing with GDPR implementation. In the absence of significant enforcement action in the trust space, there may be little appetite to further grapple with data privacy issues.
- Client confidentiality – it is fair to say that the importance placed on client confidentiality for many trust companies means that data privacy legislation is less ‘alien’ and therefore less of a challenge for such companies than it is for many other organisations. Privacy is often already ‘built in’ by design and confidentiality is fundamental to the business. A breach of client confidentiality would have significant consequences above and beyond any potential data privacy legislation sanctions.
Stuart Esslemont, Data Protection Officer at ZEDRA, echoes this analysis in relation to client confidentiality being a key pre-existing part of their business: “Today’s conversations on data privacy tend to focus on the risks associated with new technologies and digitalisation. Our longstanding focus on preserving confidentiality pre-dates technological advances and legislation like GDPR.”
Privacy Compliance Issues
When asked what was most challenging about privacy compliance, the participants were broadly split amongst a number of key issues. Top of the issues list was compliance with multiple regimes, and given the geographic spread of many trust companies, this is hardly surprising. Whilst a lot of focus has been on GDPR in Europe, the last few years have seen a proliferation of new data privacy laws being implemented all over the world.
What do you find most challenging about privacy compliance
*respondents were able to choose more than one option
Many of these bear similarities to the European regime but are not exactly the same and national concerns and interests are built in, making it challenging for multi-national organisations in particular to adopt a standard uniform approach to data privacy compliance globally. The increasing number of data localisation laws in particular creates challenges for companies looking to centralise systems and processes. Stuart Esslemont recognises that “there is no shying away from the fact that the multitude of legislation in different countries (with subtle variations on themes) and continual emergence of technologies present ongoing challenges to ensure that we continue to stay ahead of the game and keep personal (and all other) data safe and secure. COVID-19 is presenting novel data protection challenges which we are addressing on a daily basis in the ‘new normal’ environment in an effort to maintain our usual high standards on these matters.”
Data security was another issue which ranked highly among privacy concerns, which again seems explicable given the potential consequences from both a regulatory and a business perspective which could flow from any data security breach.
Perhaps a more interesting issue coming out of the survey results is the placement of data retention/destruction as the third most concerning data privacy compliance issue. This possibly reflects the difficulties faced by trust companies having to navigate the complexities of competing data retention requirements in myriad regulations, on top of which is layered the GDPR requirement to not keep data longer than necessary. This often creates a tension between regulation setting out a minimum retention requirement versus privacy regulation seeking to impose a (subject) maximum retention obligation. Whilst historically we have not seen much enforcement action in this space, the recent decision of the Berlin Data Protection Authority to impose a €14.5 million fine against a real estate company for its over retention of personal data suggests that data retention and destruction could be an issue on the radars of not only trust companies but also now the regulators.
For the trusts industry, it is clear that data and privacy remain a concern and there are a number of practical challenges with data privacy compliance. However, for now, the advice remains to ensure that appropriate resource is directed at privacy compliance, have in place up-to-date policies and procedures and ensure that personnel are adequately trained so that such policies and procedures are rigorously followed.
Listen to our accompanying podcast below
To review the other articles in this series, please click on the link below
The contents of this publication are for reference purposes only and may not be current as at the date of accessing this publication. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.
© Herbert Smith Freehills 2020