Last week we held a breakfast briefing at the Eight Club in London for CTOs and IT Directors within the financial services industry to talk about the implications of the General Data Protection Regulation (GDPR). The financial services market is under increasing pressure regarding compliance, not just with GDPR but other regulations such as MiFID II and PSD2, and we wanted to provide a forum to discuss this.
We also invited Compeer, who provide consultancy within this space, so that we could give attendees an opportunity to hear some latest guidance. IT leaders from organisations such as CCLA, AnaCap, Duncan Lawrie, Royal London Asset Management, Hodge Bank and First Capital met with their peers to air concerns and discuss progress in an open manner.
The GDPR, which officially replaces the Data Protection Directive in May next year, is intended to strengthen the data protection for individuals in the European Union. It provides a set of rules that detail how organisations should collect, store and dispose of personal data. Breaches of these rules could prove costly, however in our recent survey assessing readiness for GDPR, 17% of respondents were unaware that fines could be imposed. There is much talk in the press about the Independent Commissioner’s Office (ICO) looking to ‘make an example’ of some big names in the industry who may be failing when the regulations come into place. These penalties can be up to 4% of an organisation’s annual turnover, and a study by Consult Hyperion suggests that GDPR will cost banks €4.7bn in fines over the first three years of enforcement.
One of the key areas that we discussed was a consumer’s ‘right to be forgotten’ where they can request that all personally identifiable data on them is deleted. Such data would include more than just a name – perhaps also a home or IP address as well. In order to remove this information, and prove to the consumer this has been done, it requires an organisation to know exactly where the data is, and be able to retrieve and delete it. Our recent survey showed that 18% of respondents did not know where their data resided; this will be an important area to address in the next 12 months.
Brexit inevitably came into the conversation, and we confirmed that UK financial services organisations will need to comply with GDPR to maintain the confidence of EU business partners - regardless of how the Brexit negotiations pan out. If we leave the EU the government has said it will create something very similar for UK businesses to adhere to. GDPR also affects organisations outside of the EU if they are providing products and services to EU nationals.
It is clearly essential to be prepared for the arrival of GDPR and to address any gaps in compliance well in advance. In line with this, we suggested some initial actions financial services organisations could work on straight away. The first is to carry out an impact assessment, including a data audit, to find out where the information resides, what data is personally identifiable and how accessible it is. Figuring out what data is necessary for commercial purposes and to delete anything that is not needed is a good idea. It is also helpful to build a picture of how information flows through the organisation – if a client provides their details over the phone to a wealth manager does this data then sit on a piece of paper on a desk, get entered into one system, or into five different ones? Once the impact assessment is complete, the creation of a gap analysis will then help to devise a plan in order to resolve these highlighted issues.
Our recent survey indicates that some companies remain unprepared for GDPR – only 58% said they had a team addressing the requirements and were on track to be ready. It is important to remember that data remains the responsibility of the organisation that owns it, wherever it resides. If plans are not already underway to ensure compliance then work needs to start immediately so that you are able to hit the ground running next May.