This item is being published in the WealthBriefing family of newswires - including those covering Asia and North America - because the data protection issues confronting HNW people are often cross-border. Crypto-attackers don't recognise national borders, and neither should those protecting clients.

The editors of this news service are pleased to share these views but do not necessarily endorse all the ideas of contributors and invite responses. Email tom.burroughes@wealthbriefing.com.

What is on the data protection horizon for 2019

We may expect:

1. Expansion of data protection principles to cover technology advancements

The Information Commissioner’s Office (ICO), the UK body that reports to parliament on data security issues, has identified cyber security, AI, big data and machine learning, and web and cross-tracking devices as tech priorities for the year ahead. In fact, this year’s International Data Protection Day (January 28) coincided with the publication of the Council of Europe’s guidelines on artificial intelligence and data protection, essentially with the aim of ensuring that AI applications do not inhibit or undermine established rights to data protection or the protection of human rights.

2. Extension in the territorial scope of "protected’" data transfer

The New Year has already seen a "mutual adequacy decision" between the EU and Japan, which permits the flow of data following certain assurances and agreements that adequate safeguards are in place. Similar talks are underway with South Korea and, of course, depending on what happens with Brexit, we hope 2019 will see a similar adequacy decision in respect of UK/EU data flow.

3. A continuing rise in data breach litigation

As data protection and rights awareness grows, so will the ability to enforce those rights and claim for loss when such rights are abused. Given the scope and rate of technology development, the trend in rising litigation in this area is unlikely to reverse any time soon.

4. Greater clarity as to when and how the data protection rules apply

Judgments, published guidance, and industry best practice will hopefully assist in ending confusion arising from scenarios that do not fit squarely within the GDPR/DPA framework, such as lay trustees’ and executors’ duties and obligations in respect of holding personal data.

Common risks for HNWIs

HNWIs are particularly vulnerable to data protection risk because they typically wear more than one hat. For example, some are employers (domestically and commercially), landlords, company directors, company shareholders, heads of charitable organisations or societies, owners of cars, boats, aircraft or properties, settlors of trusts or trust beneficiaries.

• They may be subject to data protection obligations as data controllers and failure to comply may result in fines – a failure to protect personal data of employees or tenants, for example, may result in data breach litigation.
• HNWIs are likely to have an international footprint so the transfer of data between countries and the interaction of the data protection and privacy laws in other countries (particularly those outside territory governed by GDPR or adequacy decisions) should be taken into account to ensure both compliance and protection of data.
• They may also have a public profile or extensive social media following and in some cases their reputation or ‘personal brand’ has significant economic value. A HNW individual may wish to protect their brand by enforcing their rights to correct or delete personal data, as well as ensuring the secure retention of data with a view to controlling the dissemination of certain information.
• Managing and enforcing one’s rights in respect of their personal data is also relevant where there may be inaccurate or misleading information in the public domain that adversely affects an individual’s (or an individual’s company’s) credit rating or client acceptance applications for AML compliance purposes.
• The sheer magnitude of publicly available personal data for certain HNW individuals (from social media, companies house, HM Land Registry, business websites, news and internet) will provide a very detailed profile of an individual, which can be used to obtain further personal data by unscrupulous means (for example phishing and blagging). Not only will blagged personal data have a significant resale value, the nature of that personal data is likely to allude to the availability of deep pockets – leaving people vulnerable to threats such as blackmail, fraud, or simply loss arising from the sale of their private or personal data.

Trustees are slowly waking up to their data protection responsibilities and people may find that their trust structures are not as robustly confidential as first thought.

Mitigating the risks in 2019

Knowledge and training

Knowledge is power - this is certainly true in the digital age where rapid technological advances expand the ways in which data is gathered and exploited, often ahead of regulation and legislation. Not only does an individual need to be well informed as to their obligations and rights in respect of data protection, they need sufficient understanding of new technologies and applications to ascertain how/when/where their personal data might be acquired by whom and for what purpose in order to be able to enforce their rights.

Audit

Individuals who determine that they may be a data controller should familiarize themselves with their data protection obligations and may wish to carry out an audit to determine the types of personal data that they may be responsible for, including what/whose personal data you hold, whether you have the right to hold it and how you hold or use it.

You also need to consider what personal data of yours is held by others, whether they need to retain/use it, how they use it, whether it is secure and whether you should request its deletion.

Security

HNW individuals should review all their security settings, for example, for social media accounts, communications systems, and all devices, just like any other individual. Depending on the complexity of the HNWI's circumstances, they may wish to engage specialist cyber security advisors to undertake a thorough review, and/or recommend security protocols, which should be updated regularly.

The definition of personal data is extremely wide and the generation of personal data relating to each individual is constant, so it follows that the use of personal data will continue to dominate every aspect of our lives. Coupled with the significant value of personal data (both emotional and economic), time spent educating ourselves, taking specialist advise where necessary and protecting our personal data (or mitigating risks to it) will be increasingly vital, and with the likes of the Council of Europe, the EU, and the ICO promoting awareness on occasions such as the International Data Protection Day, we can build on our knowledge of developments in this sector to do so.

About the author

Caroline Rao specialises in multi-jurisdictional structuring and cross-border issues. She advises ultra-high net worth and international high net worth individuals and families, their family offices and trustees/fiduciaries based all over the world. She has advised clients in relation to a diverse range of asset classes, including real estate, financial portfolios, trading and investment companies, art collections, aircraft and yachts.