SCL Event Report: International Management of Data Protection

July 20, 2015

The panel for the event consisted of:

·        Johanna Pimentel – EMEA Privacy Counsel at JP Morgan

·        Ellis Parry – Global Lead for Data Privacy at BP

·        Gayle McFarlane – partner at Cordery Compliance.

Jonathan Segal, partner at Fox Williams LLP, chaired the meeting. 

Implementation, Monitoring and Accountability

The discussion commenced with a look at how organisations should not only have a data protection policy in place but should also to be able to prove that such policy is being effectively implemented.

This has created the need for the effectiveness and robustness of data protection measures to be monitored by an internal or external party. Ellis used BP’s compliance reviews as an example and stated that such reviews enable BP to identify any gaps in compliance on a global basis. Each jurisdiction has a local privacy coordinator tasked with assisting with such reviews.

The developments in this area of law mean that this it no longer acceptable to do the bare minimum in relation to data protection to avoid liability.

Businesses should ask themselves ‘is data key to the business’ or is it an ancillary part of the business? This should guide the design of the risk assessment process. They should then conduct a legal analysis to identify what activities they are carrying out and whether such activities are caught by existing data protection laws and regulation. Businesses should then carry out a risk assessment to determine the level of risk that a data protection breach may occur and the likely impact of any such breach. A data security breach plan should then be documented to enable the business to respond quickly to data breaches.

The panel noted that an unwillingness to put practices in writing is perhaps indicative of the fact that these practices are not being carried out. It was emphasised that organisations should look beyond whether they are meeting the legal requirements and ask themselves whether they are taking the most appropriate course of action.

Global Compliance

The panel addressed the key issues to be considered in relation to global compliance within large multi-jurisdictional organisations. It was noted that this is an interesting area for a number of reasons, including the regulatory aspects.

The question was raised as to how a global company which operates in numerous different countries can ensure that a data protection policy is implemented effectively and proportionately worldwide. It was also noted how the global marketplace was now open to much smaller businesses than it had been in the past, meaning that it is no longer necessary to be a large, multinational corporation in order to require effective international data protection procedures. This creates difficulties as the global marketplace is open to businesses who cannot afford to have inhouse compliance teams.

It was noted that risk acceptance is different in all organisations. Some adopt the lowest common denominator approach to global compliance, whilst others operate at the highest level. Some companies simply operate on a country-by-country basis, but the panel was of the opinion that data protection compliance is in reality a global issue, especially in the financial services industry.

It is important to appreciate that, in addition to the different regulators across jurisdictions, there are different laws to contend with, such as banking secrecy and confidentiality.

A further issue in relation to global compliance which was identified, namely that there are significant cultural differences surrounding data protection and what is considered private data. For example, in some countries personal financial information is considered public rather than private. It is therefore important for organisations to take account of and appreciate the cultural dimension they are working within. In light of this, it is clear that there is no ‘one size fits all’ global strategy for data protection.

The proposed General Data Protection Regulation will no doubt give European based regulators a new tool in their enforcement of data protection. However, it remains to be seen how this tool will be used. The panel agreed that organisations should remember that the ICO is looking for compliance rather than to enforce its powers to fine offenders.

Georgina Fraser is a Trainee Solicitor at Fox Williams LLP.