Richard Atkin, Managing Director at Exiger
Establishing Sustainable Compliance Processes in the Face of the General Data Protection Regulation
The European Union’s General Data Protection Regulation (GDPR) aims to establish a coordinated data protection framework across the EU and will come into force amid an ever-rising threat to businesses from cyber-attacks. The financial penalties for noncompliance with the GDPR, especially in relation to data breaches, are severe.
As the new regulation’s enforcement deadline of May 25, 2018, draws closer, some unanticipated consequences are starting to emerge for large corporations, such as the added cost of compliance. Facebook has disclosed an extra compliance cost of several million dollars and grown its data protection team by 250 percent.
The regulation poses significant obstacles to the due diligence process, introducing a new set of challenges for researchers and investigators who collate data, and for companies which rely on that data to adhere to their own stringent anti-money laundering (AML) and know your customer (KYC) requirements.
Understanding the GDPR
The right to be forgotten gives individuals the ability to request the deletion or removal of personal data in circumstances where there is no compelling reason for its continued processing. That means if a less-than-flattering Google search result about your involvement with a lawsuit that has since been settled pops up every time your name is searched, you may be able to have that search result removed according to the right to erasure.
The right to object allows individuals to determine how their data can be used once a company has it, for example limiting the processing of that data for research or marketing purposes. That creates an interesting dilemma for due diligence professionals who are tasked with unearthing those compromising news articles and questionable data points that can serve as red flags for a potential third-party business risk. Should individuals obfuscate that information in the name of the GDPR, not only will it be harder to find the information, companies that allow access to it could face fines of up to €20 million.
To add complication, banks will need to have customer consent for the data points they collect and customers can block them from accessing certain data for certain purposes.Many banks and businesses may be left having to allow customers to easily delete information and export it while simultaneously implementing new and costly data protection policies, and documenting and justifying the collection of certain information. To the diligence professionals that rely on the availability of factual historical data, it means risk.
Frustratingly, some of the new aspects of the GDPR are in direct conflict with AML rules in certain countries. The right to object, which would allow bank customers to hide data, stands in direct contrast to AML rules requiring banks to collect and search all manner of bank customer data. The U.K. Suspicious Activity Report (SAR) regime, for example, requires financial firms to report any suspicious activity, based on due diligence conducted on an individual’s personal data. Under the GDPR, it would seem, customers have the right to withdraw consent from sharing their personal account data for the purpose of compiling a SAR.
In that scenario, however, the U.K. would still be able to require the SARs report, even if an individual customer withdrew consent under rights granted by the GDPR, because there are limits on the EU’s power to legislate over the internal affairs of member states., The disconnect between the EU-wide applicable law and some domestic U.K. legislation could create significant headaches for financial institutions caught in the middle. Adding even more pressure for banks, the new regulation brings the ability for an individual to claim damages for non-material suffering if GDPR rules are violated, which could introduce a whole new layer of legal administrative costs.
Finding a Sustainable Path to Compliance
Fortunately, there are solutions for due diligence researchers and investigators working within this new regulatory ecosystem. Through shrewd use of new technology and careful navigation of the law, it is still possible to thoroughly vet partners, acquisition targets, and other business relationships without compromising the GDPR.
The first step is deploying a comprehensive search technology that not only scours the major search engines and social media sites, but also deep web sources, government databases, local language media, and other sources for a truly comprehensive draw-down of all available information. Under the GDPR’s right to erasure provision, individuals must request the removal of information and have it granted by each individual source, typically going for the big search engines and social media sites first. Google alone has removed more than a million search results in the EU since May 2014 when the right to be forgotten legislation was first introduced. Many of these have included news articles that are still accessible, just not through the Google search engine when searching from an EU-based IP address.
The second step involves working with technology that can work around EU servers, usually through a virtual private network, or VPN. This encrypted tunnel to a secondary network, often outside of a user’s host country, is used to connect securely to the internet and shield a user’s physical location. VPNs have been employed for years by investigators to conduct research on high-profile, politically-exposed officials in authoritarian states where traditional information channels cannot be trusted and where online censorship of content and search results is very real.
By using a VPN that routes a user’s internet traffic through a third country, an investigator in the EU may be able to view search results and other content not readily available in his or her host location. In essence, a VPN can mask a user’s country of origin, thereby permitting an investigator to access search results that have not been influenced by the GDPR’s right to erasure. In light of the ever-growing body of delisted content pertaining to EU persons, VPNs are rapidly becoming a must-have when conducting due diligence from Europe.
While these technical work-arounds may appear to run counter to the spirit of the GDPR, they are in fact vital to assuring compliance with equally important laws, such as the EU 4th Anti-Money Laundering Directive. Like many sweeping regulatory reforms, GDPR enforcement will bring with it a number of seeming contradictions and challenges for businesses who need to reconcile a broad set of compliance demands. The key to success is navigating these changes in a manner that is both monetarily sustainable and well within the bounds of the various regulatory frameworks at play in the regions in which your business operates. Knowing the boundaries and knowing how to be creative within those parameters are essential prerequisites in this environment.