2020 proved to be a challenging year for UK businesses attempting to maintain GDPR compliance, highlighting weaknesses in traditional approaches. Existing struggles have been augmented by the widespread effects of the COVID-19 pandemic.
Still relatively new legislation, GDPR challenges pre-date the events of 2020. Issues can arise at all stages of the compliance process – from policy implementation and adaptation through to regulatory reporting. With the emergence of big data, firms must have adequate storage resources and smart compliance systems to cope. Moreover, 80% of data is now unstructured1, making it harder to identify personal information.
As the scale of compliance challenges increases and the regulatory environment becomes progressively more volatile, technologies which facilitate compliance – known as RegTech – are emerging as the only viable solution for businesses. This paper explores some of the problems that have surfaced during the pandemic, and corresponding solutions from the RegTech industry.
The COVID-19 pandemic
When the UK’s first lockdown began on 23rd March, businesses had to deal with a wholly unexpected, and often company-wide, shift to remote working. This rapid shift caused several problems for GDPR compliance:
- An increased proportion of the workforce using personal devices requires secure remote access policies so that data is protected. Personal devices are not always sufficiently protected to comply with GDPR’s security principle, and staff may be completely unaware of minimum security requirements for devices and networks.
- Staff working from home may not have completed sufficient training to identify and report breaches should they occur.
- To compound issues, there is now a heightened risk of data becoming siloed within teams or with individuals all working independently. As a result, the visibility of personal data records across organisations is reduced, making manual compliance monitoring difficult for Data Protection Officers (DPO)s.
- If businesses are unaware of the status or location of sensitive data and a breach occurs, reporting to the regulator becomes almost impossible.
- A heightened chance of staff falling ill, redundancies or furloughing due to COVID-19 means many businesses have reduced staffing capacity available to complete manual compliance procedures. Equally, expensive manual procedures may be unfavourable at a time when any excess costs are being scrutinised.
- COVID-19 has encouraged many customers and clients to opt for online services. For example, there has been an increase in the proportion of sales made on the internet versus in store2. This shift has increased the volume of customer or client data that must be stored for each transaction. Businesses therefore must be prepared to expand storage, whilst ensuring all data remains compliant under GDPR.
For UK firms in 2021 and beyond, there is a danger of unintentional GDPR non-compliance due to a lack of knowledge on internal procedures or external regulatory changes, or an inability to react promptly to developments. The pandemic and its effects have been unprecedented, and the future remains uncertain. COVID-19 has proven that compliance procedures must be suitably flexible to support everchanging organisational structures, especially those with a high proportion of remote staff. In essence, businesses must invest in one key capability – agility in their compliance procedures. Firms that rely on traditional manual procedures with no technological assistance will struggle to adapt.
Non-compliance risks large penalties, which are issued by the Information Commissioner’s Office (ICO) to UK businesses. The average fine issued by the ICO has trebled from £73,645 in 2016/17 to £216,000 in 2019/203. In October 2020, British Airways were ordered to pay £20 million as a result of a GDPR breach4. With the economy balancing on the edge of another recession due to COVID-19, firms must have suitable measures in place to ensure they do not incur unnecessary GDPR-related fines.
The role of RegTech
2020 may have set the stage perfectly for the RegTech industry to spread its wings. Regulatory Technology, or ‘RegTech’ refers to the use of new and emerging technologies to facilitate regulatory compliance. Core components are cloud computing, machine learning and AI, all in conjunction with big data. The RegTech industry has been gaining momentum over the past 5 years; global investment has increased from $1.1bn in 2015 to $8.5bn in 20195. RegTech essentially aims to automate the regulatory process, leading to increased efficiency and adaptability. Although RegTech was originally used in the Financial Services industry, it is distinct from FinTech (Financial Technology). The use case for RegTech is not constrained to Financial Services – it spans into any industry where regulation applies.
RegTech can be implemented by both businesses and regulators – sometimes called ‘SupTech’ (Supervisory Technology) when used by the latter. The industry is relatively young (70% of RegTech companies are less than 5 years old6) and hence relies on firms allowing RegTech companies access to sensitive and highly regulated data so that solutions can be tested and deployed. Luckily, UK regulators are on board with promoting the use of such technologies within the regulatory environment. FCA Insight has even described the pandemic as a “watershed moment for RegTech”5. The ICO launched their own technology sandbox in August 2020, focusing on solutions to their new ‘Age Appropriate Design Code’. They also have an ‘Innovation Department’ exploring, amongst other topics, the role of AI in regulation.
The CFA Institute7 describes the RegTech industry as being at version 3.0, having moved from ‘know your customer’ to ‘know your data’ (or KYD). At present, regulators must use technology to comprehend the large volumes of data generated by technologies used within the firms they regulate. A complete shift to KYD could mean regulators reviewing automated processes and algorithms used by businesses.
The combination of the UK’s mature financial services sector and supportive regulators could provide the perfect environment for RegTech to evolve8 – especially with businesses searching for solutions to their current challenges.
How RegTech can be used
Regardless of the specific challenges caused by the pandemic, an explosion in volumes of data is inevitable, and RegTech firms offer a broad range of compliance tools to allow businesses to effectively manage all data they own. Implementing technology to assist with compliance means businesses can adapt procedures without a lengthy manual adjustment process.
Additionally, there are many tools which use emerging technologies to combat specific regulatory challenges. Examples of these are listed below, which relate to the issues discussed at the start of this paper:
- With no clear timeline regarding the widespread return to office spaces, businesses must accept the need for an adjustment to a remote working business model for the foreseeable future9. Most RegTech applications are available on a ‘software as a service’(SAAS) platform. This means they can be accessed via a web browser, allowing staff working from home to gain access. User interfaces are accessible for all staff, not just technical subject matter experts.
- Speech recognition capabilities also complement a remote working environment, allowing businesses to automatically review voice calls and transcribe conversations. Transcription facilitates detection of personal information, which can be flagged to be dealt with under GDPR guidelines10.
- RegTech also offers capabilities such as alerting users when a potential security breach from a mis-sent outbound email has been detected11.
- RegTech supports the possibility of End to End (or ‘E2E’) compliance, removing multi-step processes across departments. One firm even suggests the possibility of a system which recognises relevant amendments to regulations and automatically updates internal policies12. This feature could be invaluable for businesses attempting to navigate events which disrupt existing legislation, such as the UK’s exit from the EU in late 2020.
A paper from the university of Dublin claims that “A RegTech approach applied to the GDPR would yield significant benefits to DPO’s, organisations and regulators”13. RegTech supports anyone working towards GDPR enforcement, and its capabilities are as widespread as its beneficiaries. Technology providers can react swiftly to market changes by refining and expanding their technical offerings. Once implemented within a firm, RegTech solutions can automate and simplify compliance procedures whilst providing enough flexibility to adapt to volatile regulatory conditions. RegTech firms have recognised the value the industry can offer to businesses struggling with the pressures of 2020, and some have even offered free access to their tools14.
The challenges and solutions examined are not exhaustive but do provide a small insight into the capabilities of RegTech. The benefit of RegTech is not one single offering, nor is it focused on one single area. The industry’s offerings range from efficiency-boosting workflow management solutions to point solutions for specific regulatory challenges, including those that have arisen in the past year. RegTech is the only solution capable of confronting the challenges currently faced by businesses to guarantee ongoing GDPR compliance.
- Waterford Technologies (2019), https://waterfordtechnologies.com/unstructured-data-a-risk-for-all-companies/
- ONS (2020), https://www.ons.gov.uk/businessindustryandtrade/retailindustry/timeseries/j4mc/drsi
- Computer Weekly (2020), https://www.computerweekly.com/news/252486370/ICO-hails-transformative-year-as-average-fine-trebles
- The ICO (2020), https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/10/ico-fines-british-airways-20m-for-data-breach-affecting-more-than-400-000- customers/
- Ascent RegTech (2020), https://www.ascentregtech.com/blog/what-is-regtech/
- FCA (2020), https://www.fca.org.uk/insight/regtech-watershed-moment
- CFA Institute (2017), https://www.cfainstitute.org/-/media/documents/article/rf-brief/rfbr-v3- n4-1.ashx
- Comply Advantage, https://complyadvantage.com/blog/what-does-brexit-mean-for-uk-regtech/
- Global RegTech Summit (2020), https://fintech.global/globalregtechsummit/how-would-a-second-wave-of-covid-19-affect-the-regtech-industry/
- Speechmatics (2020), https://www.speechmatics.com/blog/10-advantages-of-using-voice-technology-for-regulatory-compliance/
- Egress (2020), https://pages.egress.com/whitepaper-outboundemaildatabreachreport-0920.html?utm_campaign=whitepaper-outboundemaildatabreachreport-0920&utm_medium=egresswebsite&utm_source=homepage
- Ascent (2019), https://www.ascentregtech.com/blog/end-to-end-compliance-is-closer-than-you-think-how-businesses-can-get-a-practical-head-start/
- Ryan, Crane and Brennan (2020), https://www.researchgate.net/publication/339913174_Design_Challenges_for_GDPR_RegTech
- Corlytics (2020), https://www.corlytics.com/corlytics-red