Post-Brexit, the Information Commissioner’s Office in the UK has decided to call the European Union’s General Data Protection Regulations, ‘Frozen GDPR’. Raili Maripuu, CEO of regtech indoor positioning technology company Mobilewatch, says the key focus is to have clear guidelines and processes on the differences between dealing with cross-border data retention, transfer and storage in multi-site situations before and after 31 December 2020.
Here’s what the ICO has to say about it: “The term ‘Frozen GDPR’ is not an official title and it’s not used in the law itself. However, we think it’s a useful label to help you understand this part of the data protection regime. The ‘Frozen GDPR’ is the EU GDPR almost exactly as it existed on 31st December 2020. The only change is that Articles 60 to 76 of the EU GDPR (on co-operation and consistency) are deleted from the Frozen GDPR.”
Maripuu believes that the impact of removing Articles 60 to 76 of the EU GDPR in ‘Frozen GDPR’ is different to each individual financial organization, as this depends on the structure and the set-up of its systems for data retention and storage as well as the organization’s internal processes. She adds: “Our business focus is currently on the UK. However, for global multi-site installations, we expect to work and adhere to national data protection laws – including Frozen GDPR.”
“Frozen GDPR is just another piece of legislation to consider in an already extremely complex legal environment. All financial organizations have strong legal and compliance departments ensuring that regulatory changes are properly implemented considering both historical and future data.”
Frozen GDPR continues
The frozen version of GDPR continues, despite the UK having left the European Union at the end of 2020. It applies to some types of non-UK personal data, and it is set out in Article 71 of the Withdrawal Agreement. It automatically became law on 1st January 2021. Chiefly, from then, Frozen GDPR applies in the UK to the processing of personal data of individuals located outside of the UK (whether they’re located in the EU or anywhere else in the world).
The ICO adds: “Although the UK has now left the EU, for the purposes of the Frozen GDPR, any references to the EU or to member states are read as if the UK was still part of the EU. For example, if the Frozen GDPR applies, there are no restrictions for transfers between the UK and the EU (although transfers back from the EU to the UK may still be restricted under the EU GDPR).”
Frozen GDPR is not set to change, even if UK GDPR or EU GDPR are amended. It will, in effect, remain as it was on 31st December 2020. However, the UK’s Data Protection Act 2018 (DPA 2018) can still be altered. It nevertheless must “stay consistent with the Frozen GDPR”. The guidelines of the European Data Protection Board (EDPB) will also continue to apply to the Frozen GDPR.”
It applies to that personal data if:
- It was processed in the UK under the EU GDPR before 1 January 2021 (known as legacy data);
- It’s being processed in the UK on the basis of the Withdrawal Agreement. For example, in order to comply with legal obligations (such as the provisions for citizens’ rights) under the Withdrawal Agreement.
The data collected after 31st December 2020 will need to comply with UK GDPR and the UK’s Data Protection Act (2018). Complexity is created by the need to know when personal data was collected, and where the data subject lived on 31st December 2020. This is to ensure that their processing complies with the appropriate legislation.
With BYOD being permitted in at least some of the banks, but with a need to ensure that no market abuse occurs on the trading floor or while traders are working from home, using either their personal device or corporate devices, it’s important to:
- Identify data to work out what data is being created by which applications,
- From which type of device (corporate or personal),
- Whether the data activity is within the bounds of the ‘new’ data protection regime, as well as whether it is within the policies of the bank, or financial services organization, and
- within the bounds of regulatory compliance to prevent market abuse.
A recent 1LoD report on ‘Personal Mobile Device Surveillance’, featuring Mobilewatch, emphasized that privacy matters. With more people working from home in response to the Covid-19 pandemic, the UK’s Financial Conduct Authority make it clear that any data protection arrangements – whether the workforce is working from home or in the office - should be equivalent. Firms are expected to update their policies and to refresh their staff training to ensure compliance can be met and upheld.
The report says this necessitates, “rigorous oversight reflecting the new environment – particularly regarding the risk of use of privately-owned devices. These policies should be demonstrable to us and to your audit teams. It goes without saying that policies should prevent the use of privately- owned devices for relevant activities, where recording is not possible.”
“However, in order to replicate personal mobile device surveillance in a home, the level of physical surveillance that existed on the trading floor implies using the same cameras that exist inside the banks, with real-time feeds to supervisors to replicate line-of-sight supervision and deterrence. No banks on the panel were considering this level of intrusion, firstly for legal and privacy reasons.”
“Video surveillance would inevitably capture private activities no bank would wish to record. In corporate environments, CCTV normally covers all access points (both entry and exit), and rarely spreads to cover the working areas, such as private and open offices and meeting rooms. The placement of video cameras definitely needs to consider data protection and privacy issues. Data privacy legislation is also an issue. The UK ICO is still considering whether Barclays’ use of employee- tracking software from Sapience Analytics breaches GDPR, with potential fines being in the hundreds of millions.”
Privacy and data protection
Maripuu comments: “From the privacy and data protection perspective, our approach remains the same. Mobilewatch technology is compliant with national and international data protection and GDPR laws, as it captures information that is already publicly available and doesn’t see content or other personal information. Financial organizations and other corporations use ten times more intrusive surveillance technologies already as a norm but miss out on personal device surveillance. This is understandable, as they need to protect their businesses on their own terrain, where people have agreed to play by their employers’ rules.”
Before the pandemic, she says very few banks allowed personal devices into regulated spaces. This approach has changed notably since Covid. Some banks are now even driving open-device policies only. She adds: “Financial services institutions incorporate BOYD policies, which are based on their own specific set of requirements. From extremely tight ‘no device’ polices, to the opposite end of the spectrum, where ‘open’ policies allow ‘all devices’ to freely operate.”
Mobilewatch finds that, as policies progress towards the ‘open’ end of the spectrum, risk levels naturally increase. With the spread of SARS-CoV-2, the virus that leads to Covid-19, there was naturally a concern and focus on employees’ wellbeing. This led to a conscious shift towards more open policies, and so Maripuu finds that the prevalence of BYOD within regulated areas, such as trading floors, and in general within banks – is not only here to stay, but also on the increase.
With respect to data protection, and the limitations of identifying personal devices when they are used for work, or in the workplace, she reveals that indoor positioning technology only captures publicly available information from mobile devices, no private information is captured – hence by default the technology doesn’t breach the GDPR and data protection laws.
She adds: “Mobile devices are continuously on the search for ‘friends’, devices they know or could potentially interact with. This is identical to walking into a coffee shop or passing a bus stop, where public Wi-Fi sensors capture information that your mobile device transmits into the ether. The leading indoor-positioning technologies are therefore considered as passive and non-intrusive, as opposed to active and intrusive cellular capture technologies, such as IMSI catchers.”
The benefits of monitoring personal mobile devices include the ability to enable banks to “identify in real-time, exactly when and where an event occurred and on what device.” Maripuu says there are other existing surveillance technologies at an organizational and at an industry level that can identify “nefarious events, including the detail information that resulted in the event, such as conversations, texts and emails.”
With the non-intrusive surveillance of personal mobile devices, and with a seamless blending of information pools, she claims that “surveillance and compliance teams are able to quickly identify bad actors whilst capturing full historical information streams for prosecution purposes.”
With regards to the use of personal mobile devices in sensitive and restricted areas, Raili Maripuu advises organizations to look at the problem holistically because the efforts to enforce compliance are heavily focused on authorized devices.
“The significantly larger risk is personal mobile devices, which are reliant on trust-based soft policies that are not effective”, she explains before commenting that technology must be used to combat technology because manual policies only capture 1-3 percent of events, while utilizing technologies, such as indoor-positioning solutions, for surveillance can capture them all in their entirety.
She says it’s important to ensure that the surveillance technology is non-intrusive or passive. They need to be about preventing rather than reacting to events by being able to identify risks, or the need to further train employees to achieve regulatory compliance. Prevention is better than cure, and it should lead to better results than a capture and fine approach.
“Through the utilization of artificial intelligence (AI) and advance behavioral analytics, identifying risk patterns and resolving before and after events ultimately protects the consumer from Material N-Public Information abuse.” This includes insider trading, and the regulations that address personal mobile device surveillance are clear. Regulatory ignorance is not an option, and that includes situations where personal data may be stored, shared or used in contravention of Frozen GDPR, or of GDPR. It’s also cheaper to enforce compliance than to either end up being severely fined, or worse…
Graham Jarvis, freelance business and technology journalist
Raili Maripuu, CEO, Mobilewatch