Data protection regulations: a fork in the road for financial institutions

Regulatory bodies continue to make data protection rules. And with the increasing number, complexities surrounding a whole host of requirements for different activities necessary for the core business. 

When facing a split-road, financial institutions may freeze or even ignore important data protection problems that can catch up later on. And let’s not forget about the number of times they have to face this situation.

As the workforce knows well, data protection requirements exerts a tentacle-like influence on organisations. Regulations are often surprisingly international in scope, while also rubbing up against any number of financial and non-financial rules locally. 

Today, some 130 countries have data protection regulations, many of them following GDPR’s footsteps. Yet divergence is often marked in important areas; we are nowhere near a single regulatory view.

This presents a particularly intimidating challenge for companies operating on a global scale. Since they work in different countries, data protection implications are at the core of their business activities. 

This is a huge hurdle to overcome when processing or transferring—often very sensitive—data.

The compliance burden spans the whole spectrum of requirements, however, as we found from our recent research among Data Protection Officers (and their equivalents) at private banks, wealth managers and banks operating in Europe and Asia. 

Although 27% reported that their biggest challenges stem from transferring data to third parties and countries, the majority (53%) are still tripping up on issues with day-to-day internal processing. 

The remaining 20% cited concerns as varied as infrastructure complexity, corporate culture and sheer volume of work.

A hotly contested field

With firms ramping up technology change to deal with the pandemic, it is unsurprising that carrying out the data protection impact assessments mandated for innovations and high-risk processing stood out as a particular burden. 

Indeed, a full 50% of the data privacy respondents reported that IT is the department with more questions – although that was from among a hotly contested field with legal, HR and front-office close behind.

Practitioners are not only having to “helicopter” to help a panoply of departments meet their obligations, they are having to work incredibly hard to stay up to date with developments themselves.

As several participants told us, digesting all the updates and interpretative notes could constitute a full-time job in itself. The weight of their responsibilities is getting dramatically heavier too.

Chief among them is the requirement that data exporters assess third countries’ data protection regimes under the equivalent measures imposed by the EU’s ongoing judgment.  

On that point, half of the participants said they have to source regulatory guidance from external law firms, while a fifth turn to consultancies, at costs, running to thousands per day. Across the divide, 40% are left to glean what they can from memos and so on. 

The cash-constrained are a large group: 54% of practitioners globally cited insufficient privacy budgets[i].

Approaches diverging

The gap between access to content and budget constraints is not the only big divide emerging. Firms know they need to urgently address the untenable burden on their (often surprisingly small) data protection teams, to seek both efficiencies and immaculate compliance simultaneously. 

Whether to “throw people at the problem” or put technology to the task represents a real fork in the road.

The first path continues to be trodden in time-honoured compliance tradition: 44% of institutions had increased their data protection headcount in the preceding year, and 47% planned further hires in the one ahead. 

Here, we heard about the creation of data protection centres of excellence, which is certainly to be applauded. However, it seems that all too often firms are recruiting highly skilled and expensive people to do work that could and should be digitised and automated. 

Given the median annual salary for data privacy practitioners in 2021 was $140,529, it is unsurprising that pay generally eats up half of the privacy budgets.[ii]

Just as with other areas of compliance, technology can take care of a lot of the heavy lifting in data protection, so we were encouraged to see that a third of firms are leveraging digital resourcing in this area. 

Even better, a quarter had adopted a specialist’s solution rather than adding built ones to their endless technology to-do lists.

Data Protection Regulation’s wish list 

The wish list for a comprehensive solution would have to stretch from a digital repository for news, regulatory analysis and commonly asked questions, to rules-based workflows constantly monitored and updated behind the scenes. 

Quite apart from the urgency with which institutions have to make changes, it would not to underestimate the complexity of such a build. 

Fortunately, today there are compliance solutions that cover most of the aforementioned items.

Anyone expecting that data protection regulation headaches might have eased during the pandemic will have been disappointed. 

As our study highlights, wealth managers are in fact feeling the operational efficiency and cost pressures more and more. They will have to think very hard about how to best alleviate them. 

There may well be a good reason for hiring, but institutions should remember there are other solutions to throwing people at the problem.


[i] IAPP-EY Annual Privacy Governance Report 2020
[ii] IAPP Annual Salary Survey 2021

About Apiax

Apiax is a Swiss RegTech that builds regulatory compliance software to ease risk management for financial institutions worldwide. Welcome to our blog!