Kadri Linask-Goode, Global Privacy Lead
July 11, 2023
Data processing is subject to a broad range of constantly evolving laws and regulations worldwide. IT leaders at global financial services enterprises continuously balance data governance with overarching business objectives which requires an adaptable, flexible, and data-centric IT infrastructure.
The United Nations Conference on Trade and Development (UNCTAD) found that 137 out of 194 countries, or over 70% of countries, have put in place legislation governing the protection of data and privacy. To break it down further, just in the United States there are 5 new state data protection laws coming into effect in 2023.
As a result, leaders at financial services enterprises should familiarize themselves with an ever-increasing number of data privacy laws and evaluate these individually for business and processing impacts.
Data privacy regulations for financial services enterprises
A few data privacy regulations across the globe include:
- The European Union’s General Data Protection Regulation (GDPR)
- Brazilian General Data Protection Law (LGPD)
- Singapore's Personal Data Protection Act 2012 (PDPA)
- California Consumer Privacy Act (CCPA)
In addition to regional data sovereignty laws, new cybersecurity laws and data residency requirements apply specifically to financial services enterprises in key markets.
In the United States, these cybersecurity requirements are coming from the:
- New York State Department of Financial Services (NYDFS)
- Federal Deposit Insurance Corporation (FDIC)
- Gramm–Leach–Bliley Act (GLBA)
- Federal Trade Commission (FTC)
Regulations increasingly hold global financial services enterprises accountable to individual customers’ local data privacy laws in addition to the laws governing the jurisdictions in which they operate.
IT leaders find themselves in the challenging position of creating an IT architecture that can adapt to the new regulations and manage the complexity. Data sovereignty regulations also reinforce the need for a Hybrid IT solution when storing, transferring, and securing data.
Failure to proactively respond to data regulation introduces risk
IT leaders at global financial services enterprises face unique demands and challenges as they adhere to various regional data privacy and sovereignty mandates.
There are two options for managing data:
- Proactively structure the network to compliantly process data to safeguard from regulatory investigations
- Scramble to follow legislation after it's enacted
Waiting for new regulations and reacting has organizational downsides: it increases the potential for errors, risks regulatory enforcement actions, and adds stress to the business.
Because financial services enterprises manage a massive volume of sensitive data, the risk of significant fines and reputational harm increases when a company is unable to adhere to regulations.
DLA Piper reported in their GDPR Fines and Data Breach Survey that protection supervisory authorities across Europe have issued a total of €1.64 billion EUR ($1.74 billion USD) in fines in 2022 -- a 50% year-on-year increase from 2023.
Other regions are also increasing financial penalties: The Personal Data Protection Commission (PDPC) in Singapore stated in the Enforcement of the Personal Data Protection Act (PDPA) increases to the financial penalty cap from a fixed S$1 million to 10% of an organization's annual turnover exceeding S$10 million, whichever is higher.
As many countries begin to take data privacy seriously, non-compliant enterprises risk significant consequences.
Financial services enterprises that proactively address their IT architecture to meet evolving regulations can avoid the potential of such significant penalties and are able to compliantly maximize leveraging their data to support their company’s mission and most importantly, to enhance customer value.
Addressing fragmented legacy data architectures
Data management plays a vital role in the financial services sector as robust privacy and data security capabilities become core differentiators and as data sovereignty requirements evolve.
IDC's 2022 Worldwide CEO survey found that 80% of European organizations considered data sovereignty their highest priority.
Most legacy solutions were built with different point solutions over time, which resulted in fragmented IT architectures. IT professionals at leading financial services enterprises recognize the benefit of deploying a data-centric Hybrid IT strategy. Especially as they align with data sovereignty priorities, this mitigates the risks of local regulations, manages complexity, and optimizes control.
A data-centric Hybrid IT strategy includes:
- Localized data storage, especially in countries where applicable data regulations exist
- Hybrid IT controls to address data governance, sovereignty, compliance, and requirements
- Centers of data exchange that interconnect partners, clouds, applications, and ecosystems
- Optimized data exchange to reduce latency and improve performance, mitigating the challenge of Data Gravity
Making data work for your global financial services enterprise
IT leaders at financial services enterprises can create significant competitive advantages by partnering with an organization that has a global data center platform.
A clear data-centric Hybrid IT infrastructure enables control of where data is stored, how it is aggregated, and leverages cutting-edge technology to stay ahead of cyber-attacks. This helps position your company to meet ever-changing data sovereignty and privacy requirements with regionalized data storage.
Digital Realty brings companies and data together to power innovation by delivering the full spectrum of data center, colocation, and interconnection solutions. PlatformDIGITAL®, our global data center platform, provides customers with a secure data meeting place.
Visit our financial services industry page to learn how PlatformDIGITAL® can help IT leaders unlock growth opportunities and competitive advantages through data-driven transformation.
Author Bio: With 20+ years of compliance experience and nine years in data privacy, Kadri focuses on privacy matters associated with Digital Realty's global customers, staff, suppliers, products, and operations.