How Banks Navigate Data Localization and Protection Laws

"We are fast approaching a new era of the Data Age."¹ - Data Age 2025, IDC Whitepaper

The unprecedented expansion of the world's data¹ has prompted financial institutions to explore inventive methods for extracting insights. Consumers of data are using more sources than ever, even alternative data that may have once been considered secondary output from existing processes. This evolving landscape necessitates a unified approach to data management, with a notable trend toward centralization. The adoption of a centralized data platform has emerged as the new standard, increasingly acknowledged as the foundational solution for holistic data utilization.

However, the ability of global banks to fully leverage data is notably constrained by a crucial factor: the necessity to comply with data localization and privacy laws. These regulations, which dictate where data can be stored and processed, are increasingly stringent and varied across jurisdictions.

Data localization, privacy, and residency: Understanding the laws

With the rise of digital economies and increasing concerns over data privacy, global banking is seeing a growing focus on robust data protection measures. These laws are complex and present a critical challenge, as they dictate where and how data can be stored and processed, varying significantly from country to country. The European Union’s (EU) General Data Protection Regulation (GDPR) has been widely recognized as a comprehensive data regulation framework, leading many countries to adjust their own frameworks to align with GDPR's core principles.

The types of data subject to these laws are also diverse and can include personal data, transaction histories, financial analyses, and risk assessments. As the domains of alternative data grow increasingly diverse, it becomes more important to pay close attention to these laws.

Examples of data localization and privacy laws across the world:

The United States

The US has many data privacy acts across states that grant consumers rights over their personal data and impose obligations on businesses to obtain consent and disclose collection practices. These include the California Consumer Privacy Act (CCPA), the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act, and the Connecticut Data Privacy Act (CTDPA)².

Europe

Perhaps the most influential data regulation, the EU's GDPR provides a comprehensive framework for data protection. GDPR applies to all EU member states, emphasizing individual rights and strict compliance requirements. The UK GDPR mirrors the EU GDPR but is tailored for the UK post-Brexit. Switzerland's Federal Act on Data Protection (FADP) regulates the processing of personal data in Switzerland, also aligning closely with GDPR principles, a story that echoes across other countries in the region.³

Asia Pacific

One of the strictest privacy laws globally is South Korea's Personal Information Protection Act (PIPA), which applies to a broad range of entities, establishes rigorous consent requirements, and includes stringent penalties⁴. PIPA is also relatively dynamic, reviewed for regular updates to adapt to changing markets and technology advancements. In Japan, the Act on the Protection of Personal Information (APPI) was recently amended to align with GDPR standards³.

Five key principles of data localization, privacy, and protection regulations

The principles underlying major global data localization, privacy, and protection regulations can be categorized into several key themes.

• 1.Data protection and privacy rights

• Individual consent: most regulations require explicit consent from individuals before their personal data can be collected or processed. This principle is central to laws like the GDPR in the EU and the Personal Information Protection Law (PIPL) in China⁵.
• Right to access and rectification: individuals typically have the right to access their personal data held by organizations and request corrections if necessary. This enhances transparency and accountability.

2. Data localization requirements

• Geographical restrictions: many laws mandate that certain types of data must be stored and processed within national borders to protect national security and enhance control over data. Countries like China, Russia, and Indonesia enforce strict localization rules.
• Dual storage models: some regulations allow for data to be copied outside the country but require a local replica to aid compliance with local laws, as seen in Malaysia and Indonesia.

3. Security measures

• Data security obligations: regulations often impose stringent security measures that organizations must implement to protect personal data from breaches or unauthorized access. This includes requirements for encryption, access controls, and regular security assessments.
• Breach notification: laws like GDPR require organizations to notify authorities and affected individuals promptly in the event of a data breach, ensuring that risks are managed transparently.

4. Cross-border data transfers

• Adequacy decisions: many regulations provide mechanisms for cross-border data transfers based on the adequacy of protection in the recipient country. The GDPR outlines specific conditions under which data can be transferred outside the EU.
• Standard contractual clauses (SCCs): these are used to facilitate international data transfers while ensuring compliance with local privacy standards.

5. Accountability and governance

• Data protection officers (DPOs): some laws require organizations to appoint DPOs responsible for overseeing compliance with data protection regulations, enhancing accountability.
• Impact assessments: organizations may be required to conduct Data Protection Impact Assessments (DPIAs) before processing certain types of personal data, particularly when there is a high risk to individual rights.

The importance of compliance

The penalties for banks that fail to comply with data localization laws can be severe. Legal penalties can include fines, and financial penalties can include significant monetary losses and operational disruptions. However, the most significant impact of non-compliance is the potential damage to a bank’s reputation.

In 2021, the Spanish bank CaixaBank faced a fine of €6 million ($6.6 million), the 10th biggest GDPR fine globally that year. More recently, the Italian Data Protection Authority fined UniCredit Italy for failing to protect customer data during a cyberattack, which compromised personal data and violated GDPR standards⁶.

Data localization laws have a significant impact on how banks manage data sharing, processing, and storage. This shift often requires significant investments in infrastructure and technology but is a necessary step to ensuring data integrity and compliance with the law. Conventional practices such as cross-border data transfers and cloud storage solutions must be carefully examined to verify they are in line with the legal requirements. Banks need to engage with cloud service providers who meet specific jurisdictional requirements, otherwise risk having to establish local datacenters and taking on the risks and limitations of on-premises technology.

YOU MIGHT LIKE: The Evolution of IRRBB

Addressing data protection concerns

Meeting compliance with data protection and localization laws requires banks to implement a sophisticated data infrastructure. This infrastructure and its surrounding processes can deploy data masking, fencing, and encryption — all of which play a crucial role in safeguarding data. However, it is not enough to simply have these measures in place. It is equally important to have a robust governance framework, proper training and education for employees, and effective business continuity planning.

Data lineage tracking

Track the movement of data to trace the origin and journey of data through different systems and depots. This is crucial for banks to enforce data retention within specified boundaries, monitor how data is being transformed, and comply with regulatory requirements.

The three most important pre-requisites to establish proper data lineage are:

• A data catalog with proper documentation: this includes detailed information on the source of the data, any transformations or manipulations that were performed, and how the data has been used in different processes. This ensures transparency and accuracy in understanding the origin and usage of data.
• Data mesh architecture: allows for a centralized view of data lineage, making it easier to track and trace data as it moves through different systems and processes. This architecture also enables data to be accessed and utilized by various teams and departments, promoting collaboration and reducing data silos.
• A capital-markets-aware data model: is crucial for efficient data transfer and maintaining data lineage. This data model is designed specifically for financial markets, taking into account the unique needs and regulations of this industry. It can be adapted and augmented, as needed, to accommodate changes and growth within the organization, ensuring efficiency and accuracy in data lineage.

Data masking techniques

Data masking safeguards sensitive information during processing and analysis. By obscuring identifiable data elements, banks can reduce the risk of exposure. Various techniques are employed in data masking, including:

• Static data masking: involves creating a duplicate dataset where sensitive information is masked. This version is used for testing or development, ensuring the original data remains untouched.
• Dynamic data masking: alters data in real-time as it is accessed, ensuring that only authorized users can view the original data while others see masked versions.
• Pseudonymization: replaces sensitive identifiers with pseudonyms, allowing for reversible masking when necessary.
• Anonymization: completely removes identifiable information, making it impossible to trace back to the original data.

Data fencing strategies

Data fencing involves implementing geographic restrictions on where data can be stored and processed. This is particularly important for organizations operating in multiple jurisdictions, as the data remains within the legal boundaries set by local laws.

Key aspects of data fencing:

• Access control policies: establish and enforce specific policies that dictate who can access sensitive data and under what circumstances.
• Protection against threats: safeguards data from various cyber threats, including unauthorized access and client-side attacks, ensuring the confidentiality, integrity, and availability of information.
• Data integrity: ensures that digital information remains uncorrupted and accessible only to authorized users, fostering a secure environment for data throughout its lifecycle.
• Customization: allows for tailored security measures based on the sensitivity of the data, enabling organizations to classify data and apply specific security protocols accordingly.

Future trends in data localization for banks

The banking industry is currently undergoing a significant shift in data localization practices, propelled by technological progress and evolving regulatory frameworks. The increasing adoption of cloud services is expected to heighten the demand for more sophisticated data localization solutions. While cloud computing offers scalability and operational advantages, it also poses challenges in maintaining data within designated geographic constraints, as stipulated by local statutes. Financial institutions are advised to invest in cutting-edge technologies capable of effectively managing data residency obligations while upholding stringent security and compliance standards.

The regulatory environment is also in flux, with many governments contemplating more stringent data localization statutes due to escalating concerns over data privacy and national security. This trajectory is anticipated to elevate compliance expenses for banks, compelling investments in more robust data management platforms. These approaches can effectively balance data privacy with the imperative to optimize the bank’s access to data, safeguarding sensitive information without impeding operational efficacy.

The future trends of data localization will require banks to work closely with technology providers to develop effective strategies. This collaboration can lead to the creation of innovative solutions that integrate the latest technologies with compliance needs. By working together, banks and tech providers can leverage each other's expertise to address the unique challenges presented by data localization laws, ultimately enhancing data security and operational resilience. As the industry continues to evolve, these collaborations will play a pivotal role in shaping the future of data localization for banks.