Clarifying data protection territorial impact assessments in different jurisdictions
Today, the business units approach the Compliance and Data Protection units with questions if there is a potential impact by a jurisdiction’s Data Protection laws. Fundamentally, business is interested in answers for the activities they want to develop and/or change. Usually, their dedicated projects shall define a new business opportunity as well as assess the related risks. Compliance needs to be able to go through different jurisdictions one by one and check how the activity is impacted by each country’s legislation.
As CCO or as DPO, one might even hire an external consultant (from the big four, for example) to do all those checks in their bank with the business side so they know what is happening besides ensuring they stay compliant. The regulator also needs that information when the time comes.
The challenge of data protection territorial impact assessments in different jurisdictions
The biggest challenge is to make sure compliance has all the required business details to undergo a deep analysis while covering all the countries that the business teams and their projects are focussing on. The objective is that the bank does not get penalized for missing the implementation of Data Protection rules of one or several jurisdictions, since it is a big risk for the organization to have global projects that are not compliant with regulatory requirements.
Additionally, after deciding on the relevant countries and having gathered all the business details, it takes time to go through all the jurisdictions needed since compliance needs to go through specific manuals for each country. They need to identify if the foreseen business activity is triggering a country’s Data Protection principles or compliance needs to try to find evidence that certain legislation is – sometimes against all expectations – not relevant and, therefore, can be neglected for that business activity or project initiative.
Overall, it is a process with too many back and forths that can lead to a huge delay in project implementation. To handle this situation, there are different options:
|Business Potential||Risk Minimisation||Ease scalability||Time and cost reduction|
|Option 1:Clarify relevant Data Protection triggers manually for a limited number of locations||+||+++||+||+++|
|Option 2: Rollout global territorial impact assessment checks and clarify restrictions case by case manually||++||++||+||++|
|Option 3: Digital cross-country territorial scoping checks||++++||++++||++++||++++|
Introducing digital territorial scoping checks
By using digital territorial scoping checks, Compliance and Data Protection units can easily assess the impact of a business and their projects in different jurisdictions in a matter of minutes instead of going through manuals – which usually takes weeks or months depending on the size of the project scope.
Also, by having a tool that permits faster assessment, the compliance unit can also check in which countries it is easier to deploy a project because of the specific data protection restrictions. This competitive advantage can help the business unit to choose the jurisdictions that make more sense even before starting the project. In other words, compliance can help business units with the easier scope for the project resulting in quicker deployment and less time spent on checking if countries do or do not bear a potential Data Protection risk.
To do that, one would need the following:
- Machine-readable data protection rules: a set of country-specific rules customizable by in-house legal teams;
- Dynamic access to data protection answers: a way for IT project managers to quickly access answers on IT system initiatives through an easy-to-use app or via intranet;
- Easy integration options: technology empowering developers to scale the use of machine-readable with integration into existing processes or in-house tools.
Benefits of using digital territorial scoping checks
- Spend less time on territorial impact assessment checks;
- Increase the number of checks done during the same amount of time;
- Global risk minimization: Always aware of the global territorial impact assessment check in view of a certain business unit;
- Growth opportunity: digital rules allow global scalability thanks to the easy addition of new countries or comparison features.