Strategic Shareholder Climate and Risk Financial Financial Barclays PLC 376 report information sustainability report Governance review review statements Annual Report 2022 Supervision and regulation (continued) Data protection In the US, Barclays Bank Delaware is recent years and the growing reliance of subject to the US Federal Gramm-Leach- financial services on Cloud and other third Most countries where the Group operates party service providers. This is evidenced Bliley Act (GLBA) and the California Privacy have comprehensive laws requiring Rights Act of 2020, which amended the by the continuing introduction of new laws openness and transparency about the California Consumer Privacy Act of 2018 and regulatory frameworks directed at collection and use of personal information, and came into effect on 1 January 2023 enhancing resilience of both firms and and protection against loss and (CPRA). The GLBA limits the use and their critical third party providers. A new UK unauthorised or improper access. framework introduced last year requires disclosure of non-public personal Regulations regarding data protection are information to non-affiliated third parties, firms to be able to remain within impact increasing in number, as well as levels of and requires financial institutions to tolerances set for their important business enforcement, as manifested in increased provide written notice of their privacy services by no later than 31 March 2025, amounts of fines and the severity of other policies and practices and implement with further legislation focusing on the penalties. We expect that personal privacy resilience of critical third party providers certain information security policies and and data protection will continue to receive practices. Any violations of the GLBA could now in the pipeline. The European Union’s attention and focus from regulators, as subject Barclays Bank Delaware to Digital Operational Resilience Act (DORA) well as public scrutiny and attention. additional reporting requirements or entered into force in January 2023 and will The EU’s General Data Protection regulatory investigation or audits by the apply in early 2025 (after a two-year Regulation (GDPR) created a broadly implementation period), introducing financial regulators. More broadly, the harmonised privacy regime across EU Group's US operations are subject to the comprehensive and sector specific member states, introducing mandatory CPRA which applies to personal regulation on Information Communication breach notification, enhanced individual information that is not collected, Technologies( ICT) incident reporting, rights, a need to openly demonstrate processed, sold or disclosed subject to the testing and third party risk management, compliance, and significant penalties for and providing for direct oversight of critical GLBA. The CPRA requires applicable breaches. The extraterritorial effect of the members of the Group to both provide third party providers servicing the EU GDPR means entities established outside California residents with additional financial services sector. The existing and the EU may fall within the Regulation’s disclosures regarding the collection, use anticipated requirements for increased ambit when offering goods or services to and sharing of personal information and controls will serve to improve industry European based customers or clients. grant California residents access, deletion, standardisation and resilience capabilities, Following the UK’s withdrawal from the EU, correction and other rights, including the enhancing our ability to deliver services the UK continues to apply the GDPR right to opt-out of certain sales or during periods of potential disruption. framework (as onshored into UK law and transfers of personal information and the However, such measures are likely to hence now referred to as the ‘UK GDPR’ - right to limit the processing of sensitive result in increased technology and this sits alongside an amended version of personal information to certain purposes. compliance costs for the Group. the UK Data Protection Act 2018). Any violations of the CPRA may be subject In 2022, the SEC published proposed Following the invalidation by the European to enforcement by the California Privacy disclosure rules and amendments Court of Justice (CJEU) of the EU-US Protection Agency and the California regarding cybersecurity risk management, Privacy Shield as a mechanism for Attorney General and the imposition of governance and incident reporting by US- transferring EU personal data to the US, monetary penalties, as well as potential listed companies, including foreign private the European Commission published new lawsuits arising from the private right of issuers such as Barclays PLC and Barclays standard contractual clauses (SCCs) in action provided to California residents in Bank PLC. Also in 2022, NYDFS both 2021 to meet the requirements of GDPR the case of certain data breaches. Bills increased enforcement of and published and the CJEU decision, known as Schrems proposed in the United States Congress proposed amendments to its main II. In early 2022, the UK Information and in the legislatures of various US states, cybersecurity regulation applying to the Commissioner set out its own if enacted, may have further impact on the New York Branch of Barclays Bank PLC. international data transfer agreement, and data privacy practices of Barclays’ US Final versions of the SEC proposed the international data transfer addendum operations. In addition, all 50 states have disclosure rules and NYDFS proposed to the European Commission’s SCCs for laws including obligations to provide amendments are expected in 2023. international data transfers. Implementing notification of security breaches of the new EU SCCs and/or the UK Regulatory initiatives on ESG disclosure computer databases that contain personal addendum, which involve case-by-case The EU Regulation on Sustainability- information to affected individuals, state transfer impact assessments and other Related Disclosures introduces disclosure officers and others. safeguards, is likely to result in increased obligations requiring financial institutions Cybersecurity and operational resilience compliance costs for the Group. In 2021, to explain how they integrate China adopted its first comprehensive law Regulators globally continue to focus on environmental, social and governance in relation to personal information called cybersecurity risk management, factors in their investment decisions for the Personal Information Protection Law organisational operational resilience and certain financial products. In addition, the overall soundness across all financial (PIPL). The PIPL applies to processing EU Taxonomy Regulation provides for a activities within mainland China, but similar services firms, with customer and market general framework for the development of to the GDPR, the PIPL has extraterritorial expectations of uninterrupted access to an EU-wide classification system for reach. As the global data protection financial services remaining at an all-time environmentally sustainable economic regulatory landscape develops, high. activities. The EU Corporate Sustainability noncompliance with any such The regulatory focus has been further Reporting Directive will introduce requirements could lead to regulatory heightened by the increasing number of sustainability related reporting obligations fines and other penalties. high-profile ransomware and other supply for various entities including EU banks and chain attacks seen across the industry in certain listed companies, with reporting to