Client Needs
Spain’s financial services sector is steadily rebounding after the 2008 financial crash and the covid-19 pandemic. One of Spain’s largest insurers with operations in over 50 countries needed to respond to variable market conditions in 2021 and a merger and acquisition. The UK’s exit from the European Union (Brexit), organisational restructuring and the tail winds of pandemic economic contractions in the EU created a new focus on robust data governance. The Spanish company did not have an established presence in the UK and so it needed to appoint a UK Data Protection Representative, based in the UK, to represent and protect its interests and liaise with two of its largest data processors. The UK’s post-Brexit changes to data protection meant that the client required an organisation with deep expertise, knowledge of the UK regulator, financial services sector acumen and the ability to support them with data breaches and other added services. PrivacySolved was selected primarily for its level of expertise, its Irish and EU team and its mature cybersecurity and data breach response services. Its added services, especially legal and regulatory support, provided reinforcement and reassurance to the client.
PrivacySolved Services and Solutions
The Client appointed an Ireland and UK Data Protection Officer to rationalise resources and improve its focus. PrivacySolved’s UK Data Protection Representative Service (UK DPRS) was set up quickly with targeted front-loaded actions to maximise the client’s data protection compliance from the start. Policies and Procedures covering UK-affected personal data were reviewed, including public-facing General Data Protection Regulation (GDPR) data use notices. The data protection notices and regulator registrations were updated to ensure that the UK GDPR regulator and UK-based individuals could easily contact the Representative, around the clock. A more focussed UK Records of Processing Activities (ROPA) was created from the client’s international data flow mapping to highlight key personal data and data flows that fall within the UK’s regulatory remit. PrivacySolved spent considerable time understanding the data flows, data risks and key contractual obligations between the client and two of its major data processors whose processing impacted the UK, Ireland, Spain and the wider European Union market area.
Results
PrivacySolved’s Data Protection Representative Service helped the client to:
- Reduce and manage the UK’s evolving data protection risks with reliable local expertise
- Add depth to the established data protection and cybersecurity teams in Spain and Ireland
- Save costs by agreeing a subscription-plus-added-services model to build system resilience
- Strengthen the data breach response capacity and expand key data processor support