Chapter 17 Further Reading: Data Privacy, GDPR, and Cross-Border Data Compliance

Primary Legal Texts

GDPR and UK GDPR

General Data Protection Regulation (EU) 2016/679 The full text of the GDPR, including recitals, is available at EUR-Lex: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679

The recitals are not legally operative provisions but are authoritative interpretive guidance on the operative articles. Practitioners should read the operative articles alongside the relevant recitals — Recitals 6, 26-34 (definitions and scope), 47 (legitimate interests), 60-62 (transparency), 65-67 (erasure), 101-116 (international transfers) are particularly important for financial services.

Data Protection Act 2018 The UK national implementing legislation, available at legislation.gov.uk: https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted

Schedule 2 (exemptions from data subject rights, including the crime and taxation exemption at paragraph 14) and Schedule 6 (conditions for special category data processing) are of particular importance in financial services contexts.

UK GDPR (retained EU law) The retained EU law version of the GDPR as it applies in the UK is incorporated by the European Union (Withdrawal) Act 2018. The current consolidated text, incorporating post-Brexit amendments, is available via legislation.gov.uk: https://www.legislation.gov.uk/eur/2016/679/contents

Note that the legislation.gov.uk version includes UK-specific amendments that differ from the EU original — practitioners must use this version for UK GDPR analysis, not the EUR-Lex text.

Regulatory Guidance

ICO (Information Commissioner's Office)

The ICO is the UK's supervisory authority for data protection. Its guidance website provides comprehensive practical guidance across all areas of UK GDPR compliance. Essential reading:

ICO Guide to UK GDPR https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/

Covers all aspects of UK GDPR from documentation requirements through data subject rights. The sections on lawful bases, special category data, and data subject rights are particularly thorough.

ICO Guidance on Data Sharing https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-sharing/

Includes specific guidance on sharing personal data with law enforcement and other public authorities — directly relevant to the AML-GDPR intersection.

ICO Guidance on Subject Access Requests https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/right-of-access/

Covers exemptions from the access right including the crime and taxation exemption under DPA 2018 Schedule 2. Includes worked examples relevant to financial services.

ICO Guide to International Transfers https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/

Covers the UK international transfer framework post-Brexit, including the IDTA, the UK Addendum to EU SCCs, and UK adequacy decisions.

ICO Mandatory DPIA List https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/data-protection-impact-assessments-dpias/

Lists the processing activities that the ICO has determined require a DPIA as a matter of UK GDPR Article 35.

EDPB (European Data Protection Board)

The EDPB coordinates data protection supervision across the EU and issues guidelines binding on EU supervisory authorities. Key guidelines for financial services:

EDPB Recommendations 01/2020 on Measures that Supplement Transfer Tools https://edpb.europa.eu/our-work-tools/our-documents/recommendations/recommendations-012020-measures-supplement-transfer-tools_en

The post-Schrems II guidance on Transfer Impact Assessments and technical supplementary measures. Essential reading for any practitioner dealing with cross-border data transfers.

EDPB Guidelines 04/2022 on the Calculation of Administrative Fines https://edpb.europa.eu/system/files/2023-05/edpb_guidelines_042022_calculationofadministrativefines_en.pdf

Relevant for understanding how supervisory authorities approach enforcement and penalty calculation.

EDPB Guidelines on Data Breach Notification (01/2021) https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012021_pseudonymisation_en.pdf

Provides detailed worked examples of breach scenarios and appropriate notification decisions.

EDPB Guidelines 05/2022 on the Use of Facial Recognition Technology https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052022-use-facial-recognition-technology-field_en

Directly relevant to biometric KYC processing under Article 9.

EDPB Opinion on the EU-US Data Privacy Framework https://edpb.europa.eu/our-work-tools/our-documents/opinion-art-70/opinion-32022-european-commission-draft-implementing_en

The EDPB's formal opinion on the DPF adequacy decision, identifying residual concerns that inform the ongoing legal challenge.

Key Court Judgments

Schrems II: Data Protection Commissioner v. Facebook Ireland Limited and Maximilian Schrems (C-311/18) CJEU Grand Chamber judgment, 16 July 2020 https://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=4263166

The foundational case for understanding the current EU-US data transfer landscape. The judgment should be read in full — it runs to 88 paragraphs of substantive analysis. Pay particular attention to paragraphs 64-202 (Privacy Shield analysis) and paragraphs 121-202 (SCC analysis and the TIA requirement).

Schrems I: Maximilian Schrems v. Data Protection Commissioner (C-362/14) CJEU Grand Chamber judgment, 6 October 2015 https://curia.europa.eu/juris/document/document.jsf?text=&docid=169195&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=4263166

The predecessor judgment that invalidated Safe Harbor. Reading Schrems I alongside Schrems II illuminates the structural pattern of the CJEU's analysis.

Google Spain SL v. Agencia Española de Protección de Datos (C-131/12) CJEU, 13 May 2014 The foundational "right to be forgotten" judgment under the 1995 Directive. Remains relevant for understanding the erasure right under GDPR Article 17.

EU-US Data Privacy Framework

European Commission Adequacy Decision: EU-US Data Privacy Framework (July 2023) https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en

The full text of the Commission's adequacy decision, including the analysis of Executive Order 14086 and the Data Protection Review Court.

Executive Order 14086 on Enhancing Safeguards for United States Signals Intelligence Activities https://www.federalregister.gov/documents/2022/10/14/2022-22520/enhancing-safeguards-for-united-states-signals-intelligence-activities

The US executive order that established the safeguards the Commission relied on in the DPF adequacy decision.

noyb.eu DPF Challenge Materials https://noyb.eu/en/noyb-files-first-gdpr-complaint-against-eu-us-data-transfers-under-new-trans-atlantic-data-privacy

noyb.eu's legal submissions and complaint materials relating to the DPF challenge, useful for understanding the arguments that may ultimately be presented to the CJEU.

US Privacy Law

California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA) Full text available via California Legislative Information: https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.100

California Privacy Protection Agency (CPPA) Regulations https://cppa.ca.gov/regulations/

The CPPA has issued implementing regulations under the CPRA that address the detailed operational requirements. These are regularly updated as the CPPA exercises its rulemaking authority.

FTC Safeguards Rule (16 CFR Part 314) https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-314

The FTC's implementing rule under the Gramm-Leach-Bliley Act, significantly revised in 2023, governing information security requirements for financial institutions.

State Privacy Law Tracker (IAPP) https://iapp.org/resources/article/us-state-privacy-legislation-tracker/

The International Association of Privacy Professionals maintains a comprehensive tracker of US state privacy law enactments, including effective dates, thresholds, rights provided, and enforcement mechanisms.

Academic and Practitioner Texts

Foundational Privacy Theory

Solove, D.J. (2008). Understanding Privacy. Harvard University Press. The most accessible and comprehensive introduction to privacy theory. Solove's taxonomy of privacy — covering information collection, information processing, information dissemination, and invasion — provides a conceptual framework applicable across legal and technical contexts. Essential background for practitioners who want to understand why privacy law exists, not just what it requires.

Westin, A.F. (1967). Privacy and Freedom. Atheneum. The foundational text in modern privacy theory. Westin's definition of privacy as "the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others" remains the most influential formulation in US and UK privacy scholarship.

Bygrave, L.A. (2014). Data Privacy Law: An International Perspective. Oxford University Press. Comparative analysis of data protection law across multiple jurisdictions, grounding the GDPR in its historical and comparative context. Particularly useful for practitioners working across multiple legal systems.

GDPR Practice

Voigt, P., & von dem Bussche, A. (2017). The EU General Data Protection Regulation (GDPR): A Practical Guide. Springer. A practitioner-oriented commentary on the GDPR, article by article. Useful as a reference for specific provision interpretation.

Kuner, C., Svantesson, D.J.B., Cate, F.H., Lynskey, O., & Millard, C. (Eds.) (2019). The GDPR: Text, Commentary, Comparisons. International Data Privacy Law. A more academic treatment, with comparative perspectives and commentary on the legislative history of individual provisions.

Data and Technology

Cate, F.H., & Mayer-Schönberger, V. (Eds.) (2013). Notice and Consent in a World of Big Data. International Data Privacy Law. Examines the limitations of the consent model in big data contexts. Highly relevant to the financial services discussion of consent as a lawful basis — why consent is often inappropriate as the primary basis for processing at scale.

Zuboff, S. (2019). The Age of Surveillance Capitalism. PublicAffairs. A broader critique of data-driven economic models. While more polemical than technical, Zuboff's analysis of the structural incentives that underlie data collection at scale provides useful context for the regulatory response.

Dwork, C., & Roth, A. (2014). The Algorithmic Foundations of Differential Privacy. Foundations and Trends in Theoretical Computer Science, 9(3-4), 211-407. The definitive technical reference on differential privacy. Available at: https://www.cis.upenn.edu/~aaroth/Papers/privacybook.pdf

Technically demanding but rewarding for practitioners who want to understand the mathematical foundations of differential privacy rather than just its application.

RegTech Tooling

Consent and Privacy Management Platforms

OneTrust https://www.onetrust.com/

The market-leading privacy management platform, covering consent management, data mapping, DSAR management, DPIA workflow, vendor risk management, and regulatory change management. Used by a significant proportion of large financial services institutions globally.

TrustArc https://trustarc.com/

Competitor to OneTrust, particularly strong in consent management and regulatory assessment. Provides sector-specific frameworks for financial services privacy compliance.

DataGrail https://www.datagrail.io/

Focused on DSAR management and data mapping, with strong integrations into enterprise SaaS platforms (Salesforce, Workday, etc.). Useful for institutions with complex SaaS landscapes.

Privacy-Enhancing Technology

Privitar https://www.privitar.com/

UK-based PET vendor with specific financial services focus. Provides data privacy platform enabling privacy-preserving analytics through pseudonymisation, generalisation, and differential privacy. Has worked with major UK financial institutions and the Bank of England.

Mostly.AI https://mostly.ai/

Synthetic data generation platform using generative AI. Provides tools for generating synthetic financial data for model development, testing, and sharing. Includes re-identification risk scoring.

Gretel.ai https://gretel.ai/

Developer-focused synthetic data and differential privacy platform. Strong Python SDK integration. Used in financial services for model training data generation and regulatory sandbox applications.

Flower (Federated Learning Framework) https://flower.dev/

Open-source federated learning framework enabling cross-institution model training. Financial services applications including multi-bank fraud detection.

PySyft https://github.com/OpenMined/PySyft** Open-source library for privacy-preserving machine learning, including federated learning and secure multi-party computation. Maintained by OpenMined.

Data Discovery and Classification

BigID https://bigid.com/

Data intelligence platform for data discovery, classification, and risk assessment. Provides automated RoPA generation from discovered data assets.

Microsoft Purview https://www.microsoft.com/en-us/security/business/microsoft-purview

Microsoft's data governance and compliance platform, integrated with Microsoft 365 and Azure. Includes data classification, sensitivity labelling, and compliance management.

Spirion https://www.spirion.com/

Specialises in sensitive data discovery across enterprise environments, including financial services-specific data patterns.

Professional Organisations and Ongoing Resources

International Association of Privacy Professionals (IAPP) https://iapp.org/

The leading professional body for privacy professionals globally. Offers CIPP/E (Certified Information Privacy Professional/Europe) and other certifications. The IAPP's daily newsletter, research publications, and conference programme provide the best ongoing coverage of developments in data privacy law and practice.

IAPP Certified Information Privacy Professional/Europe (CIPP/E) The CIPP/E qualification covers EU and UK data protection law in depth and is widely recognised in financial services compliance. Syllabus and study materials available at iapp.org.

Future of Privacy Forum https://fpf.org/

US-based nonprofit focused on data privacy research and policy. Particularly useful for tracking US state privacy law developments.

Bird & Bird "Data Protected" Blog https://www.twobirds.com/en/insights/data-protected-blog

Regularly updated commentary from Bird & Bird's data protection practice on CJEU judgments, supervisory authority decisions, and regulatory developments. High-quality practitioner perspective.

Linklaters "Data Protected" https://www.linklaters.com/en/insights/data-protected

Similar resource from Linklaters. Particularly strong on cross-border transfer developments and EDPB guidance.

Fieldfisher "Privacy and Information Law Blog" https://privacylawblog.fieldfisher.com/

Broad coverage of EU and UK privacy law developments, including financial services-specific analysis.

Note on Currency

Data privacy law is among the most rapidly evolving areas of financial services regulation. The Schrems II judgment (2020), the new EU SCCs (June 2021), the IDTA (March 2022), the EU-US DPF (July 2023), and ongoing state law developments in the US have all produced significant change within a short period. The EU-US DPF faces active legal challenge. The UK's post-Brexit data protection reform agenda (the Data (Use and Access) Act 2025) introduces further changes to the UK framework.

Practitioners should supplement the foundational texts listed above with ongoing monitoring of:

• ICO publications and enforcement decisions (ico.org.uk/about-the-ico/what-we-do/our-work/articles-and-blogs/)
• EDPB opinions, guidelines, and press releases (edpb.europa.eu)
• CJEU case tracker for pending privacy-related proceedings (curia.europa.eu)
• IAPP daily digest and news tracker (iapp.org/news/)
• National supervisory authority enforcement decisions (CNIL in France, BfDI in Germany, AP in Netherlands are particularly active)

The IAPP's enforcement tracker (iapp.org/resources/article/dpa-gdpr-enforcement-tracker-and-map/) provides a searchable database of all GDPR enforcement decisions, allowing practitioners to identify patterns in supervisory authority priorities and reasoning.