Data Strategy for Regulatory Compliance

From Know Your Customer checks to small talk during conference calls, financial institutions face a firehose of data, both structured and unstructured. Having a winning data strategy can increase security, reduce risk, enhance customer satisfaction, improve, and accelerate decision-making, and drive profitability. But it must also incorporate regulatory compliance.

As technology, cybercrime, and data privacy concerns evolve, regulators are racing to keep up, placing governance at the leading edge of data strategy. Since the EU’s General Data Protection Regulation (GDPR) came into force in 2018:¹

• 19 U.S. states have adopted comprehensive consumer data privacy laws

• Six have partial consumer privacy laws

• At least 10 are working on such legislation.^{2, 3}

• Meanwhile, Canada’s federal Personal Information and Protection of Electronic Documents Act (PIPEDA) is complemented by a patchwork of provincial and territory regulations.

As the interplay of cloud, Artificial Intelligence (AI), and analytics accelerates, and regulators attempt to predict and control an uncertain and fast-approaching future, leveraging data is poised to become even more complex. I will review recent and upcoming regulatory developments, explain what data governance is and how it can help, and offer some tips on incorporating governance into a data strategy.

New regulations will complicate data strategy

Businesses with interests in the EU are already engaging with legislation, including January’s Data Act, March’s Artificial Intelligence Act, and last year’s Digital Operational Resilience Act (DORA).^4,5,6 Businesses in North America will also have to place data governance front of mind.

It is unclear whether Canada’s Bill C-27, which includes the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act, will progress or remain stalled.⁷ However, change is afoot at the provincial level. Quebec’s Law 25, which already sets strict rules for the management of data from individuals in the nation’s second most populous province,⁸ began enforcing data portability in September.⁹

Amid a raft of U.S. state-level legislation, including a Maryland law requiring businesses to ensure the least possible amount of data is collected,² the U.S. Consumer Financial Protection Bureau (CFPB) aims to make its long-anticipated Personal Financial Data Rights rule final this fall.¹⁰ A tiered compliance timeline will require the largest institutions to achieve compliance within six months of publication.¹¹ While it is still unclear how the proposed rule will intersect with the various state-level data privacy regulations—not to mention MiFID II rules for retention of financial records—its data portability requirements will present a significant challenge for institutions.

In addition to setting requirements around consent for data sharing, the proposed rule requires institutions to be ready to transfer consumer data securely, using a standard, machine-readable format to consumers and permitted third parties, with a proposed accuracy rate of 99.5 percent.¹² The CFPB recently outlined the requirements for bodies that will set the standards for this machine-readable format, but the standards remain undefined.¹³

Data governance helps navigate the regulatory landscape

Data governance sets rules that cover the use of data from collection to disposal, enhancing data security, improving data quality, making data more accessible, improving the reliability of data assets, and enabling compliance with industry regulations.

Fundamental principles of data governance include security, creating and maintaining data standards, accountability through clearly defined task ownership, transparency through clearly defined policies, and quality, focusing on accuracy and completeness. Collaboration is also crucial, with legal, compliance, and technical teams cooperating across often siloed departments and disparate knowledge bases.

Data governance can help institutions meet the most common requirements of the many regional, national, and international privacy laws—without compromising their ability to access and act upon strategically valuable information.

Clear data handling policies should span the data lifecycle, enabling privacy to be ensured from creation to disposal. Accountability should improve oversight of processes to ensure they align with privacy policies. Transparency is key to managing both data and consent. Effective vendor oversight is also critical.

Institutions should prepare for a wave of change

Compliance with both current and anticipated data regulations at local, national, and international levels, has never been more important. Data breaches increased 20% in 2023.¹⁴ In addition to the reputational and operational consequences of data breaches, fines for non-compliance can be steep. Even regularly updated data strategies may need refreshing.

Depending on their level of maturity, leaders accountable for data management and technology should consider the following actions:

• Create a data governance strategy that encompasses data privacy goals.

• Designate Subject Matter Experts (SMEs) as experts in complying with specific regulations.

• Invest in strategic data infrastructure to enhance security, enable more effective data management, and deliver more resilient data assets.

• Maintain separation between managing data and privacy and auditing for compliance.

• Identify, tag, and track personally identifiable information and sensitive personal information.

• Plan and define the proposed uses of data before collection.

• Conduct privacy impact assessments on new projects without stifling innovation.

New technologies will require new approaches, and a future-proof data strategy must value data quality, security, compliance, and speed in order to meet a volatile, ever-changing, and uncertain environment.

1. Bloomberg Law, "Comparing U.S. State Data Privacy Laws vs. the EU’s GDPR," July 2023.

2. Bloomberg Law, "Which States Have Consumer Data Privacy Laws?" March 2024.

3. F. Paul Pittman, Abdul M. Hafiz, Nathan Swire, "Minnesota Enacts Comprehensive Consumer Data Privacy Law," White & Case, June 2024.

4. European Commission, "Data Act," April 2024.

5. European Parliament News, "Artificial Intelligence Act: MEPs adopt landmark law," March 2024.

6. European Insurance and Occupational Pensions Authority, "Digital Operational Resilience Act (DORA)," accessed July 2024.

7. House of Commons Canada, "BILL C-27," May 2024.

8. Statistics Canada, "Population Estimates Quarterly," June 2024.

9. Sarah Stein, "Quebec’s Law 25: Many Provisions Take Effect Today," The National Law Review, " September 2023.

10. F. Paul Pittman, Hope Anderson, Abdul M. Hafiz, "What to Expect in U.S. Privacy for 2024," White & Case, December 2023.

11. Consumer Financial Protection Bureau, "Fast Facts: Personal Financial Data Rights Proposed Rule," October 2023.

12. Andrew C. Glass, Gregory N. Blase, Joshua Durham, "Overview of the CFPBs Proposed Open Banking Rule and Final Industry Standard Setting Rule," The National Law Review, June 2024.

13. Consumer Financial Protection Bureau Newsroom, "CFPB Launches Process to Recognize Open Banking Standards," June 2024.

14. Stuart Madnick, "Why Data Breaches Spiked in 2023," Harvard Business Review, February 2024.