GDPR Vs AML - Managing the unique challenges
Published
Harriet Holmes
AML Services Manager
This article draws upon insights shared by Emma Williams, Director of Risk and Compliance at Simpson Thacher & Bartlett LLP, during her presentation titled "GDPR vs MLR: Considerations, Challenges, and Time Bombs" at the AML and Financial Crime Conference 2024. Her expertise provides valuable context for our discussion on the intersection of data protection and anti-money laundering regulations.
Introduction
We must be curious about the interplay between GDPR and MLR. In a 2018 article on insomnia cure, Calm, the meditation app, described GDPR as having the effect of being able to 'sedate a buffalo'. While we may not convert everyone into GDPR enthusiasts, let's foster more curiosity beyond ambivalence. Join me on a journey of discovery.
Are you a unicorn?
A unicorn is an expert in both GDPR and MLR, with familiarity in both areas. These individuals are rare. Are you one? Do you know a unicorn?
Now you're smiling, hopefully.
Let's understand what legislation we are talking about:
The Data Protection Act 2018 is the UK's implementation of the General Data Protection Regulation (GDPR). A key aim is to provide individuals with rights, including the right to know what information is held about them and the right to access that information.
MLR - The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. The MLR sets out additional obligations for private sector firms working in high-risk money laundering areas. They aim to prevent criminals from using professional services to launder money by requiring professionals to take a risk-based approach. Firms must implement measures to identify their clients and monitor service usage.
There is an overlap between the Information Commissioner's Office (ICO) and Solicitors Regulation Authority expectations for all of us. Interestingly, to bring this to life The Legal Sector Affinity Group Guidance document contains numerous references to Data Protection (appearing on 18 pages when using ctrl+F).
The ICO is the UK's independent body set up to uphold information rights, covering laws including the Data Protection Act 2018, Freedom of Information Act, and Privacy and Electronic Communications Regulations.
The relationship between GDPR and MLR is complex and often challenging for organisations to navigate. While both sets of regulations aim to protect individuals and prevent financial crimes, they can sometimes appear to be at odds with each other. GDPR emphasises data minimisation and limited retention, while MLR requires extensive data collection and storage for compliance purposes. This tension creates a delicate balancing act for businesses, who must ensure they're meeting the requirements of both regulations without compromising either. Understanding this interplay is crucial for developing comprehensive compliance strategies that satisfy both data protection and anti-money laundering obligations.
Information
Let's take a closer look at some of these elements. Personal data is any information relating to an individual (data subject) that can identify them. Examples include:
First name and last name together
Email address
Postal address
Photograph
Phone number
Signature
GDPR regulates the processing of personal data, and AML requirements mandate the collection of personal data. This overlap highlights the intricate relationship between anti-money laundering requirements and data protection regulations, emphasising the need for a balanced approach that satisfies both sets of obligations while respecting individuals' privacy rights.
In the context of data protection, there are some key players we must acknowledge before we move on:
Data Subject - The identified or identifiable living individual to whom personal data relates.
Data Controller - A ‘controller’ means the natural or legal person who alone or jointly with others determines the purpose and means of the processing of personal data;
Data Processor - A ‘processor’ is the natural or legal person who processes personal data on behalf of the controller.
Data Controllers and Processors responsible for using personal data must follow strict rules called "data protection principles." They must ensure the information is:
Used fairly, lawfully, and transparently
Used for specified, explicit purposes
Used in a way that is adequate, relevant, and limited to only what is necessary
Accurate and, where necessary, kept up to date
Kept for no longer than necessary
Handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction, or damage
Retention periods
UK GDPR states that personal data should be kept for no longer than necessary for the purposes for which it was collected and must be accurate. This raises a question about expired passports—would they be considered accurate?
The Money Laundering Regulations require that Customer Due Diligence (CDD) documents be kept for at least 5 years. It's important to note that while MLR requires a minimum 5-year retention period, firms should also consider GDPR principles and not keep data longer than necessary beyond this period without a valid reason. Firms should ensure their rationale is recorded.
The right to be forgotten
Under Article 17 of the UK GDPR, individuals have the right to have personal data erased. The right to erasure is also known as ‘the right to be forgotten’, this is not absolute. The right to erasure does not apply if processing is necessary to comply with a legal obligation;
If you are required by law to process individuals' personal data, then the right to erasure will not apply. However, after the five years set out in Regulation 40, in the context of this, the right to be forgotten would become enforceable.
Inform - Policies, controls, and procedures
Our data subjects have rights such as the right to be informed. Consider your policies controls and procedures and how you account for the elements we have discussed within and others. How do we inform our clients? When did you last read or review your privacy notice or engagement letter? Do you specifically inform your clients on necessary data points and retention periods? Are you confident that the information you provide is concise, transparent, intelligible, easily accessible, and uses clear and plain language? Your privacy notice should include your lawful basis for processing as well as the purposes of the processing
Examples could be:
Under R41(1) MLR, any personal data that you obtain for the purposes of the Regulations may only be processed to prevent money laundering or terrorist financing.
Article 13 of the UK GDPR which you must provide individuals with information including your purposes for processing their data, your retention periods for that personal data, and who it will be shared with. Also known as, ‘privacy information’. You must provide privacy information to individuals at the time you collect their data from them.
Training
We must also protect what we have. You've been entrusted by a data subject, and we should not undervalue our responsibility to these individuals—security must be a priority.
A great test is a self-assessment: ask yourself, "Would I be happy if my personal data were being handled this way?"
Where do you store client due diligence and personal data? Do you have conflicting storage areas? Do you know where your teams are storing this information? Training our teams to understand their obligations and why they're important is crucial. Training must include data protection and GDPR. Did you know that the ICO recommends all staff be trained within one month of joining a firm, and ideally annually thereafter?
Here's a tip: review your data breach register. What does it tell you? Often, breaches can be attributed to human error, but a common factor is frequently a lack of regular, meaningful training. Ask yourself: when was the individual involved in the breach last trained?
Consent as a concept
As professionals, we can become fixated on the concept of consent, but this can be dangerous for all of us. But we understand why we could be making our life a little trickier than it needs to be.
Under UK GDPR, you must have a valid lawful basis to process personal data. There are six available lawful bases for processing. No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual.
Consent
Contract
Legal obligation
Vital interest
Public task
Legitimate Interest
You must determine your lawful basis before you begin processing and document it. Consider whether a legal basis other than consent may be more appropriate for a specific processing activity. Relying solely on consent can lead to complications, as the UK GDPR requires that consent must be freely given and that the data subject must have the ability to withdraw it at any time. Consent in itself carries risks. The risk of someone saying no. The risk of someone withdrawing it later.
So, seeking consent to acquire and hold data at the start of a relationship where there is a legal requirement, in essence, is a dead-end. Whereas, if you wish to retain data beyond a prescribed period, that is different. Think about consent linked to different stages and requests, make sure you request consent at the right points in time. Statutory obligations take precedence over other factors. Another challenge here, we often hear people say they're awaiting consent, but if there's a statutory obligation, it comes back to the question, do you need that consent? It's critical to acknowledge that curiosity and informing our clients is different— in many cases, we don't need to wait for consent.
Ongoing monitoring
How do you manage the risk? There's a positive duty to data minimisation—is there a legal basis for retention beyond five years? Do you close client records? Do you have a data deletion policy? How does it work in practice? Do you have a policy but no monitoring of its effectiveness?
How do you monitor the personal data your firm holds? We've all called our utilities or phone providers and been asked core questions to confirm our email, address, and so on. . . this is part of their reasonable steps.
If you work with third parties or outsource any elements, understand where data is held and how it's secured. Ensure you read your agreements through a GDPR lens. Consider: Who are they? Where are they? What happens? How is it stored? Where is it stored?
Remember, liability stays with you as the law firm. It doesn’t transfer to a third party.
Key takeaways:
Build a network, both external and internal. Find yourself a unicorn—someone who's an expert in both GDPR and MLR.
Data protection isn't a nice-to-have—it's a must. Lead with conviction. Embrace GDPR with curiosity and don't underestimate its potential.
Minimise data retention: Keep only what's necessary, for only as long as needed.
Provide clear information and notices to data subjects.
Be curious and know where you store Customer Due Diligence (CDD) information.
Review and understand your third-party contracts through a GDPR lens.
Maintain thorough records and implement effective deletion processes.
Train your employees thoroughly to understand the importance of data protection and compliance.
Subscribe to our newsletter
Subscribe to our monthly newsletter for recaps and recordings of our webinars, invitations for upcoming events and curated industry news. We’ll also send our guide to Digital ID Verification as a welcome gift.
Our Privacy Policy sets out how the personal data collected from you will be processed by us.