EY privacy experts Angela Saverice-Rohan and Andrew Heaton help professionals understand the influence that data privacy and data security regulations have on business.
Working for one of the world’s largest professional services firms, Angela Saverice-Rohan and Andrew Heaton of EY are deeply engaged in conversations with clients across the globe as they contend with the onset of robust privacy and security regulations.
John Wandrisco, head of the Technology Practice Group for the Tax & Accounting business of Thomson Reuters, spoke with Angela (EY’s Americas’ Leader for Privacy) and Andrew (EY’s Global Lead Counsel – Data Privacy/Security) to gain their insights on what tax and accounting professionals should know about GDPR, data residency and shared services, steps to evolve one’s data privacy policies, and more.
JOHN WANDRISCO: What is data privacy, and why is it important to corporations, their tax departments and other departments?
ANDREW HEATON: When we talk about data privacy, we are normally talking about the collection, use, disclosure and general processing of personal information, which is generally described as information that can be tied either directly or through reference to other materials to live individual people. This is a matter of importance to tax practices as well as to others because there are all sorts of circumstances in which people’s personal information is relevant to tax, such as in preparation of individual income tax returns replete with personal information, but also in providing services to corporate tax clients.
Personal information is quite important because there are references to things like individual social security numbers and individual tax circumstances. Even just identifying lists of board members, partners and partnerships, and the amount of income that might have been paid to different people – all these sorts of things are areas that are relevant to corporate tax returns. There is no question that the privacy focus on corporate taxes is quite important for that reason.
WANDRISCO: When reading about personal data, you come across terms such as Personal Identifiable Information (PII) and Sensitive Personal Information (SPI). What are some good working definitions for these terms?
HEATON: There are all sorts of different terms that are used for this kind of data but in general, I think in the privacy world, we tend to divide personal data into maybe two or three categories. Personal Identifiable Information is really any data that is linked to a person, and this can be confusing to people because there tends to be an assumption that if the data is quite general or innocuous or publicly available, then you don’t have to worry about it.
In fact, anything that can be linked to a person – whether it’s the person’s name, birthday, address, phone number, etc. – no matter whether it’s a sensitive piece of information or not, is considered personal data and I would put it in the category of PII. Now, going beyond that, there are various rules that apply under different laws and different jurisdictions for data that may be considered more sensitive for one reason or another.
In the United States, there tends to be a lot of focus on financial and health information. In some other countries there are other categories such as religion, ethnicity, trade union membership and other things that also fall into the more sensitive category. I think, in the tax world, the types of information that are probably most likely to fall into this category are social security numbers and other government identifiers that are used for tax purposes and financial account numbers, such as bank account numbers and so on.
WANDRISCO: In looking at how you’re working with your clients, how are you advising them to evolve their data privacy policies, given regulations like GDPR?
Clients need to have policies that include the concepts of privacy and aspects of data protection. The GDPR is very much focused on the protection of the individual’s rights to the privacy of their data. The amendment to policies across the board really focuses on the use of that data.
They have to be able to answer questions such as, “Is the company using personal data in the right way?” “Do they have the right permissions or legal basis to do so?” “Does the policy give guidance to the organization on the considerations that have to be taken into account before any new use of data?” There’s certainly some net new policies that companies have to put in place because these are new requirements: Requirements around having privacy impact assessments; requirements around building privacy by design into their systems and software development life cycle; requirements around the treatment of employee data with accompanying modifications to their human resources’ systems and policies, as well as the data that Andy was talking about from the corporate tax perspective.
WANDRISCO: If you were talking to somebody who is leading an operational function – like a head of a tax department or HR organization – what should they be considering as they look at new policies and changes within the confines of their function or area of expertise?
SAVERICE-ROHAN: We tell clients that as a foundational matter they need to understand the landscape of personal data that supports their particular business function. They need to understand the controls that are in place as data moves within their function, including to the extent that they’re using third-party applications to support their operations and the controls put in place by the vendor. That’s really a starting point.
The second step is to go through the exercise of determining the lawful basis on which their function has collected and maintains personal data to begin with and ensuring that the usage of the data today, as well as prospective use cases tomorrow, aligns with that lawful basis and the permissions associated with it.
What we have found is, prior to the GDPR, there was a general notion that most, if not all uses of employee data were justified as necessary to support the employer-employee relationship, without giving further consideration to employee privacy or a weighting of the interests of the employee against those of the employer. Under the GDPR, however, it’s quite clear that employee data receives the same protections and rigor as consumer data. It requires the same analysis of use cases and support for its permissible use.
All of this supports one of the fundamental principles in the GDPR, which is to provide transparency to individuals about what personal data a company has about them and how it is using that.
Transparency is closely related to another key privacy principle that is woven throughout the GDPR … choice. You cannot truly have free choice as an individual about practices involving your personal data if you are not being fully informed about what data is collected, how it’s used and how it’s protected. The absence of transparency makes choice a façade.
WANDRISCO: Regarding data residency, data transfer and privacy by design: As professionals and corporations start to leverage more global shared service centers and centers of excellence, what precautions should they be taking?
HEATON: As Angela mentioned, it is really important to have an understanding of what your vendors are doing in the space of privacy. It’s really a requirement, not just under the GDPR but increasingly under regulatory schemes in the United States as well. Working globally is really an essential part of providing services to any kind of large corporation today. There is a real need to be able to move data from place to place in order to meet the needs of doing corporate tax work for a large corporation.
In addition to that, there are efficiencies to be found – and in some cases money to be saved – in terms of 24/7 coverage and in getting expertise from local jurisdictions that makes it attractive to be able to perform tax services globally.
There are a number of different requirements that apply in various jurisdictions relating to the transfer of data. As a general matter – although there are some countries where there are localization requirements, where data needs to stay in that country – in most cases, data can be moved around but it has to be moved around pursuant to particular rules and in some cases, with protections in place to make sure the data will be handled appropriately. That’s true under the European Union law, and it’s also true with respect to a lot of tax work in the United States that’s governed by certain provisions of the Internal Revenue Code.
When a company is looking to use a tax provider, it really needs to make sure that the tax provider has thought about these issues and is ready to deal with them. If you have a conversation with a potential provider and ask the right questions, the provider should be able to answer the questions and provide documentation about what they’ve done to enable themselves to move data around the world and to receive data from the client, if that data happens to be in other places.
Having that conversation with the provider is really important to determine whether they’ve done the prep work necessary to be able to provide services globally.
WANDRISCO: How would you contrast data privacy with data security? Thinking back to some of the big disclosures such as the Panama Papers and the Paradise Papers disclosures, were those data privacy or data security failures?
HEATON: The way I look at it, data security and data privacy are overlapping concepts. Data privacy relates to personal data; it not only relates to the improper disclosure of the data but also to how you’re using it and whether you’ve gotten appropriate consent from people and given appropriate notices. The concept of data security applies to data that is much broader than just personal data, but includes corporate data (such as financial data) as well.
Security is about preventing unauthorized disclosure of the data, as opposed to how the data is used within an organization. Something like the Panama Papers would be a data security case, but to the extent that personal data was included in that leak, data privacy would be implicated as well.
SAVERICE-ROHAN: In addition to what Andy just noted, I think one of the principle intersections relates to the principle of data minimization. That was very much the case with the Panama Papers. The principle of data minimization from a privacy perspective usually comes into play at the time of collection; that is, you shouldn’t be seeking more personal data from an individual other than what is needed to minimally perform whatever the necessary processing is. Thereafter, once that data is collected, the principle of minimization needs to be kept in mind … forcing the organization to have checkpoints to make certain that the personal data is still necessary to maintain, in an identifiable format, when processing for the original purpose is complete or no longer necessary.
That’s also a similar concept in information security focusing on minimizing your overall exposure and potential for breach by minimizing data that you don’t need. If you look at the Panama Papers, they had so much data going back decades and decades that presumably had very limited value at a certain point. Had the right risk management processes and checkpoints been in place, it could have been identified as “obsolete” data, anonymized or destroyed, thereby minimizing the risk and supporting minimization with respect to privacy.
For additional content concerning the use of personal data in the digital age, be sure to explore the rest of our multimedia series: A new dawn for data privacy and transparency.