What should data protection specialists know about the UK operational resilience requirements?

1 March 2022 Reed Smith Client Alerts

Home Publikationen What should data protection specialists know about the UK operational resilience requirements?

Data protection specialists working in organisations engaged in banking activities or payment services will need to participate in compliance efforts to ensure operational resilience in 2022.

As we alerted at the time, in March 2021 the UK Financial Conduct Authority (FCA) and Prudential Regulation Authority published new rules (SS1/21) on operational resilience for firms in the financial sector.

The rules on operational resilience will come into effect on 31 March 2022, and firms are expected to complete their initial mapping to self-identify important business functions by then. Firms should then identify vulnerabilities and put measures in place to remedy those vulnerabilities so that their important business services fall within set impact tolerances as soon as possible and in any case by no later than 31 March 2025. If a firm fails to meet the impact tolerances, it must notify the FCA.

Autoren: Asélle Ibraimova

Compliance with operational resilience requirements entails a considerable investment of resources and effort on the part of firms. There is an overlap with the data protection compliance efforts firms have already undertaken due to accountability also being at the core of operational resilience requirements, the focus likewise shifting from the firm’s own commercial business interests towards the interests of consumers, and the similarly risk-based approach. Firms will likely look at processes and procedures already put in place by their data protection teams as a useful starting point, because of the similarity in the steps that were required for GDPR compliance: the mapping exercise required to identify the necessary resources to deliver important business services, the governance framework, internal training and accountability, risk assessment and management of risk.

What is in scope: important business services only

The focus of operational resilience is on preventing disruptions to important business services provided by firms that may cause intolerable harm to consumers or market integrity. Therefore, internal processes such as payroll management may not be covered by the requirements. It is the firm’s responsibility to determine what those important business services are.

Risk to consumers: intolerable harm vs any risk

Firms are required to consider people, processes, technology, facilities and information as necessary resources to deliver important business services. Loss of confidentiality, integrity and availability of data are listed as risks that may cause intolerable harm to consumers by the FCA (section 15A2.7(9) of the Operational Resilience Instrument 2021). These risks are also addressed by the GDPR in line with the principles of integrity and confidentiality of personal data. However, in the operational resilience context, it is not just any risk, but intolerable harm, that must be addressed. “Intolerable harm” is defined as “harm from which consumers cannot easily recover. This could be, for example, where a firm is unable to put a client back into a correct financial position, post-disruption, or where there have been serious non-financial impacts that cannot be effectively remedied. Intolerable harm is much more severe than inconvenience or harm” (section 3.8 of PS21/3).

No requirements to process personal data

The FCA requires that, in identifying an important business service, firms also identify the users of the service (section 2.6 of the SS1/21). Users are understood to mean both individual customers and business customers (“The users of the service may include retail customers, business customers, other legal entities, trustees, market participants, the supervisory authorities, or other members of a regulated entity’s group”). The FCA clarified that in identifying an important business service there is no need to “identify consumers by name or change existing requirements for the handling of customer data” (section 2.21 PS21/3).

Also, as part of the mapping exercise, firms are required to “identify and document the necessary people, processes, technology, facilities and information (the ‘resources’) to deliver each of their important business services” (section 5.1 of the SS1/21). This means firms will need to identify individuals in key roles in sufficient detail so that measures can be taken when these individuals are not available. In identifying people responsible for processes, technology and implementing and monitoring controls, firms should avoid identifying key individuals and refer to their roles instead, where possible. Overall, any new processing activities linked to operational resilience purposes must comply with data protection principles, including data minimisation to ensure no personal data is processed unless it is sufficiently justified (including when testing vulnerabilities or weaknesses of systems, technologies, services and processes). Where personal data is processed, the lawful bases for such new processing activities must be determined and documented and any risks in processing such personal data assessed as usual. Personal data should not be retained for longer than is necessary for each step of the operational resilience compliance efforts.

Increased focus on third party service providers (TSPs)

Similar to the GDPR, firms have primary responsibility for operational resilience, meaning that they are responsible for the delivery of important business services regardless of whether TSPs are involved in the provision of the services. Data protection specialists are used to carrying out due diligence of TSPs, including verifying the measures TSPs have in place to address cyber risks, international transfers of data, government access to data in third countries and what happens to data following the termination of services.

As part of operational resilience, due diligence will further expand from a review of security measures around personal data and assessment of TSPs’ business continuity and disaster recovery plans, to reviewing the measures in place to address failures in the TSPs’ own supply chains and joint testing of intolerable harm scenarios. Data protection teams are likely to be involved in identifying dependencies on a common operational asset or third party that may cause intolerable harm to consumers and in finding solutions to remedy any vulnerabilities, e.g., by adding additional channels for service delivery or putting in place alternative service providers.

In addition to the increased due diligence process to incorporate TSPs and the update to contractual terms with TSPs, there will be an increased emphasis on the oversight and monitoring of TSPs to ensure integrity and the confidentiality of data.

What will be expected of data protection teams?

Operational resilience requires a concerted effort from a number of teams within firms, such as IT, legal, compliance, third party governance and customer relations, which are increasingly encouraged to work together.

Besides routine data protection compliance activities, such as documenting the legal bases for new processing activities and assessing risks from a data protection perspective, data protection teams are likely to also participate in the following activities:

Determining what constitutes an important business service, although the teams may already be actively contributing to this process
Identifying intolerable harm to consumers based on a number of factors, including:
- The nature and number of consumers (individuals vs corporate entities, vulnerable consumers, etc.),
- The financial loss to consumers
- The impact on consumer confidence
- Loss of confidentiality, integrity or availability of data (e.g., depending on the nature and volume of the data, the effects of corruption, deletion or manipulation of data critical to the delivery of an important business service)
Identifying measures that remedy weaknesses or vulnerabilities in order to keep within impact tolerances
Testing the resilience of the important business services against severe but plausible scenarios and adjusting measures to remain within impact tolerances, where necessary.

It is expected that, once operational resilience processes are in place, there will be a regular annual review of compliance efforts. This will certainly add to the tasks of data protection teams and their value to the business as specialists that understand the risks around data.

Compliance efforts related to operational resilience should enable firms to comply with the requirements of other regulatory regimes, such as the pending EU Digital Operational Resilience Act (which focuses mainly on ICT risk), the Basel Committee for Banking Supervision’s proposed Principles for Operational Resilience and the EBA Guidelines on ICT and security risk management (EBA/GL/2019/04).

Please contact us if you require assistance with any of the above compliance steps.

Client Alert 2022-047

Cheng, Cue named among top lawyers for DeSPAC transactions

Branchen

Beratungsschwerpunkte

Business Teams

PitchBook: Reed Smith leads on PE transactions in healthcare

Daran könnten Sie interessiert sein

Cheng, Cue named among top lawyers for DeSPAC transactions

PitchBook: Reed Smith leads on PE transactions in healthcare

Tools teilen