<img src="https://certify.alexametrics.com/atrk.gif?account=b2hlr1ah9W20em" style="display:none" height="1" width="1" alt="">
    Get started

    How prepared is your firm for GDPR?

    how prepared is your firm for gdpr

    The deadline for implementation of GDPR is fast approaching - 25th May 2018 to be exact. So, how do you think your firm's preparations are going?

    Are you like virtually all of the marketing directors surveyed by data management firm Relay42 back in June 2017, who reckoned that their firms were completely ready? Or, do you empathise more with the 90 per cent of businesses surveyed by law firm Blake Morgan in September 2017, who said they had still to update their privacy policies?

    Either way, GDPR means work – lots of work – for all financial services firms, and keeping track of all the different elements probably feels like keeping lots of plates spinning at the same time; you can’t afford to let any of them drop and smash, because that would potentially mean a hefty fine.

    This is where the risk arises. There are a number of big-hitting changes that GDPR  is introducing. Take your pick from the following:

    • The need to construct a data inventory for all processing activities; AdobeStock_175453846_8x5.jpg
    • Changes needed to the consent regime for processing data;
    • The need to appoint a Data Protection Officer;
    • Revisions to procedures for dealing with subject access requests;
    • The need to notify breaches to the relevant authority within 72 hours; and
    • The need to review the procedures operated by any third party who processes data on your behalf, involving privacy impact assessments for existing and new third party arrangements.

    Bringing all this together in time for May 2018 is an onerous task for any firm - despite the confidence displayed by some.

    Caution pays

    However, there’s one element of GDPR in particular that’s potentially tricky to implement – and could trap the unwary. It’s the right to be forgotten (or the right to erasure as it’s also known). This effectively hands a significant amount of power to data subjects to request that data controllers erase all personal data in whatever form held (whether electronic or otherwise). To make matters worse, this erasure has to take place without any undue delay – so no pressure, then!

    The problem here is that the Devil’s in the detail. There are conditions laid down in GDPR which mean that this right to have data wiped is not without restrictions. The two most important ones for financial services firms are where compliance with legal obligations is required and where legal claims have to be defended.

    This requirement isn’t going to be as easy to meet as originally thought. And the complexity of financial products to which customers’ personal data is linked just makes it worse.

    Take insurance policies for instance. A customer comes to you and asks for his data to be removed from a joint life policy which lapsed several years ago. Simple, you might think. But what do you do about the data that relates to the other policyholder? How do you separate this out? If the data is still within a period that wouldn’t be considered to be excessive, you can’t automatically wipe that as well.

    And then, what about pension transfers? You mustn’t forget the regulatory requirement to retain records relating to suitability assessments for an indefinite period. Does that constitute a defence for retaining the data under GDPR? If so, how do you explain to customers that you can’t fulfil their request?

    how prepared is your firm for gdprAnd it’s not simple for investment firms either. What about data relating to the ongoing relationships with discretionary fund managers or intermediaries?

    Also, what if information is requested by law enforcement agencies, or other statutory bodies?

    The whole thing starts to look a bit like a minefield.

    So, what’s the solution? The most important thing all firms must do is to make sure they understand their products and services, and in particular, the personal data they hold in each of these cases. Then these should be mapped or recorded in some way, and in each instance, a decision will need to be made about whether personal data can or can’t be erased in each circumstance.

    Firms will then need to understand what processes they need to put in place in order to identify the relevant data that can be erased and then to make sure that the data is fully erased so no trace remains on any records. Remember, there’s a risk of a pretty significant fine at stake here, up to the greater of 4 per cent of global turnover or 20million EUR, so these processes must be right.

    Then there’s the question of dealing with the customer – how do you explain to him or her that their request to erase the personal data you hold can’t be granted? Are your servicing teams going to be comfortable saying no to what could possibly be a disgruntled individual on the end of a phone or email?

    Work to do

    The right to erasure of personal data is a powerful right for data subjects – but there’ll be a number of legitimate circumstances where firms cannot and should not agree to such requests. Businesses have legal and regulatory requirements they need to continue complying with, and these will sometimes mean keeping hold of certain pieces of data for longer than the data subject would like.

    Before any work on data and procedures takes place, everybody who’ll be involved in processing data needs to have a good understanding of the requirements of the regulations. Training is an area where corners can’t be cut – not just on the right to erasure but on all of GDPR’s requirements.

    Remember – whether you’re confident of your readiness or not to comply with GDPR, time is short!

    Leave a comment


    eBook: Essential Uncovered

    Skillcast Essentials is our best-selling library and there's a reason for that. Essentials library provides comprehensive coverage of the key compliance / conduct issues that companies in the UK face today.

    Request now

    9 ways to reduce the risk of bribery and corruption

    Corruption affects all countries, rich and poor. It causes instability, inequality, and poverty, eroding national wealth. Despite the UK Bribery Act coming into force in 2011 as one of the toughest ...

    Read More
    Highlights from the GDPR 2019 Summit

    Almost a year on from the implementation of the GDPR, Skillcast held a breakfast forum for its clients at South Place Hotel. During this session, Skillcast gave a breakdown of the new GDPR Library of ...

    Read More
    Compliance Essentials News - May 2019

    Here's a selection of the most informative compliance news stories this month - regulatory announcements, market studies, and stories about compliance lapses and downright disregard of ...

    Read More
    FCA Compliance News - May 2019

    Here's a selection of news stories from the last month that touch upon the people dimension of regulatory compliance. Select the links or scroll down for more details. 3 firms and 5 individuals are ...

    Read More