Easy answers to inbound requests
In-house legal departments and data protection professionals get confronted with a lot of requests on data protection implications by various corporate stakeholders in business, IT, and other units. Depending on the complexity of such requests, it can be very time consuming to answer these cases efficiently. Handling of these data protection issues is often a manual process disconnected between various stakeholders. In fact, we find that many organisations accept a certain risk and cross-finger that nothing significant will happen to them.
RegTech and data protection: Solving key challenges
In the following, we have collected a few topics that we find particularly challenging in data transfer restrictions – and data protection more generally – and where we see technology-enabled RegTech solutions to be able to add significant value. Which are the key challenges of data protection for financial institutions?
- Complex regulatory landscape Even though the European General Data Protection Regulation (EU-GDPR) set a new standard in terms of data protection, still every European country can define its own information privacy laws. This results in a heterogeneous legal landscape with various different requirements. Outside of the EU, every country has its own data privacy laws. Legal teams typically have one or two experts on data protection rules which is not enough to handle all questions efficiently and with the necessary depth. Usually, many open questions in cross-border and practical implementation arise with the legal expert, which creates a confrontation between legal and the business. In addition, certain legislations must be stacked on top of each other (e.g. local banking confidentiality in combination with local data protection regulations).
- Significant fines for non-compliance To take a European example, Europe’s General Data Protection Regulation (EU-GDPR) has led to a significant increase in penalties for failing to comply with privacy laws. These regulations drove business to invest heavily in information privacy.
- Frequent regulatory updates Due to the increasingly interconnected world more and more data protection regulations and data privacy law are (re-)designed to address technological (social media etc.) and societal changes that have taken place over the last decades by adopting a technology-neutral approach to regulation. The main focus of those new or updated laws is to give individuals more control over how their data are collected, used and protected. Organisations currently impacted by GDPR and the Federal Act on Data Protection (FADP) will most probably soon be affected by other data protection regulations and privacy laws, such as Brazil’s data protection law, Lei Geral de Proteção de Dados (LGPD), or the Personal Data Protection Act (PDPA) in Singapore. GDPR, LGPD and PDPA are just the tip of the iceberg for privacy laws. More and more regulations are expected in the coming years, which will continue to impact organisations globally.
- Data transfer happens everywhere The in-house legal team gets confronted with many requests on data protection implications by various stakeholders (clients, business, IT, human resources, marketing, etc.). Depending on the complexity of such requests, it can be very time consuming to answer these cases efficiently. A mid-sized organisation can easily end up with more than 150 requests per year only related to whether data can be transferred to or accessed by a third party.
Handling data transfer restrictions with Apiax
Apiax’s data protection rules provide instant answers on complex cross-border handling of personal information. They provide clear answers on how data controllers (data owner, responsible for the data and reporting to the data subject) and data processors (processing data in the name of the controller) need to manage personal data. Apiax rules for data protection (including domestic as well as cross-border transfer analysis) give instant answers on very complex questions regarding data handling and their restrictions.
Simply understanding the restrictions for given constellations of parties and their jurisdictions helps lowering stakeholder concerns and enables the stakeholders to tackle the restrictions in a clear way. Apiax rules can be made available to anybody in the organisation, from the COO via legal departments to the actual stakeholders, where usually the questions and concerns on data protection implications may arise. Overall, the more people get access to clear and precise rules on data protection, the higher is the participation and involvement from stakeholders outside the legal department that get involved in this topic and the fewer questions are expected to arise at the desk of the legal department, lowering their work dramatically.
As is always the case, we are able to offer a number of options to consume our data protection rules, ranging from a simple browser-based app that is “view-only” to customisation options and up to full integration of our rules into existing tool landscapes.
Opportunities from RegTech solutions
Here are some opportunities that we would like to share. These are insights we’ve gained from talking to our clients over the past months. They might help you understand the benefits of RegTech solutions int the field of data protection and especially data transfer restrictions.
- Business development Almost every client we talk to, we see that there are more and more initiatives planned (e.g. around digital customer channels, cloud computing and transformation projects) that create opportunities for organisations – but also confront them with questions on data protection implications. In many organisation, initiatives in data analytics and business intelligence have led to the creation of data lakes, where large amounts of personal information are being processed. Often in-house legal teams or the data protection officer is not involved in clarifying if data is rightfully used. A large number of data leaks and misuse of information happens within secondary data sources where data is transferred. We’ve built our technology to solve these challenges.
- Efficiency Because of a lack of knowledge management around the clarification of data protection questions, the same questions in different business contexts are clarified, again and again, often working with external law or consulting firms. Smart technology-enabled solutions can help deal with this issue internally, at much lower costs.
- Process automation Banks (and other industries as well) are forced today to automate compliance processes and reduce cost. To be able to do so, however, they need to start working with machine-readable compliance rule on data protection and data transfer restrictions. Banks need the right tool for this, something that Apiax can offer.
- Usage of cloud services Usage of cloud services seems profitable but also increases critical voices as responsible data protection departments might think they can only manage the risks of such new digital and automated processes with more people in their teams. Since adding more people often is impossible due to cost pressure, cloud solutions often get oppositions. On top, due to the complexity, many in-house legal teams start embracing the questions to external legal counsels even if these are repeating legal questions with a slightly different business case. Overall, a valid profitable business opportunity (e.g. cloud services) gets balanced to a high-cost burden and usually, such business ideas get dismissed. This is another opportunity where RegTech data protection solutions can help.
With the right technology-enabled solutions, financial institutions can start to get a hold on their most pressing challenges in data protection and data transfer restrictions. If you would like to learn about the RegTech solution that Apiax has built for this purpose, please reach out to us and book a demo.