Special Edition: The emergence of data sovereignty and implications for global data transfers
And how financial institutions can manage the risks.
Data has been a long-standing focus of financial institutions however most struggle to monetize the insights from them due to poor data infrastructure, complex operating models, legacy systems, and weak data governance. The arrival of ‘cloud computing’ heralded new opportunities for financial institutions and how they managed and stored data. Many embarked on strategic initiatives to migrate their data into the cloud using third-party cloud vendors.
That process is now bound to be further accelerated in the era of Artificial Intelligence (AI) as organizations seek to leverage cloud capabilities to run models that consume large volumes of data. Financial institutions have also increased their reliance on specialized technology firms to achieve their strategies which often include the exchange of personal customer data. 3rd party ecosystems have been identified as vulnerable areas under attack by cybercriminals. Against this backdrop of data risks, data privacy in particular has escalated exponentially with an increasing focus by country authorities and regulators to protect the personally identifiable data of its citizens from unlawful access and hence the emergence of data sovereignty.
What is data sovereignty?
Data sovereignty is a concept that infers that data generated, processed, stored, and distributed in a particular jurisdiction is subject to the data laws and regulations of that jurisdiction. This is primarily motivated by the desire of authorities to ensure the protection of private data, intellectual property and any security-related data from unauthorized access Although the above concept is simple it is complicated by a number of factors:
Data is not static and is subject to movement and transformation that often transcends the borders of a country. It is not uncommon for data to be produced in one jurisdiction, processed and stored in a second (data localization) and or stored in a 3rd location (data residency) - these highlight different data scenarios and may make the data subject to the laws and regulations of multiple countries.
The advent of cloud computing has accelerated the seamless movement and transformation of data cross-border involving multiple jurisdictions. Multinational corporations using cloud technology and cloud service providers want to move, process and store data in a manner that will allow them to maximize extraction of value for business in the most efficient and cost-effective manner possible.
The importance of data sovereignty
Multinational organizations and cloud service providers need to understand the data sovereignty scenarios likely to arise in their environment, understand the implications thereof for both cloud and on-premises data, taking into account local, regional and international laws and regulations and implement an effective data governance framework to ensure compliance with the requirements.
Regulatory requirements associated with the cross-border transfer of personal information
The requirements of data privacy laws and regulations differ in different parts of the world and conflicts and inconsistencies may arise making compliance complex. The EU General Data Provision Requirements (GDPR) are considered to be the most rigorous data privacy regulations in the world and are expected to influence standard setting in non-EU jurisdictions such as the U.S., where a significant volume of EU citizen data processing occurs. According to the GDPR, personal data may be transmitted to jurisdictions outside the EU provided specific conditions are met including:
Adequacy - the receiving entity and country must afford the data subject an adequate and equivalent level of protection to that of the EU. The European Commission conducts adequacy assessments of non-EU countries on an ongoing basis.
Appropriate safeguards - In the absence of an adequacy decision, personal data may be transferred provided safeguards enforcing data subject rights and access to effective legal remedies exist that are equivalent to those afforded to data subjects in the EU. This may require the completion of a transfer impact assessment.
Derogation - transfers may be exempt from the principles of adequacy and safeguards, provided they adopt the principles of minimization and limitation in specific instances e.g. with explicit consent from the data subject, for the performance of a contract, or for reasons of public interest, etc.
How can financial institutions manage the risks?
Corporations need to implement an effective risk-based data governance framework to understand their obligations, supported by effective controls, have the capability to monitor risks and remediate instances of non-compliance when they arise.
An effective framework requires governance, policies and procedures, appropriate risk and compliance skills, monitoring systems, and reporting mechanisms to boards and regulatory authorities. A particular area of weakness has been the monitoring and oversight of 3rd parties by financial institutions.
Controls need to protect personally identifiable information that is both at rest and in motion from cyber attacks.
Control frameworks need to ensure compliance with data privacy regulations in different jurisdictions. Decisions may need to be taken about continued relationships with 3rd parties located in jurisdictions that may offer lower levels of protection as well as those considered restricted.
Regulations place the onus on financial institutions to take responsibility for protecting personal data within the 3rd party ecosystem and not just limited to the parameters of the organization itself. This requires greater attention by financial institutions as dependence on 3rd parties grows and is likely to increase further as open banking gains traction.
It is inevitable that conflicts and inconsistencies around data laws and regulations will arise between jurisdictions from time to time, however, these can be resolved by advice from legal counsel.
Best regards,
Risk and Compliance Partner