<img src="https://certify.alexametrics.com/atrk.gif?account=b2hlr1ah9W20em" style="display:none" height="1" width="1" alt="">
    Get started

    How prepared is your firm for GDPR?

    how prepared is your firm for gdpr

    The deadline for implementation of GDPR is fast approaching - 25th May 2018 to be exact. So, how do you think your firm's preparations are going?

    Are you like virtually all of the marketing directors surveyed by data management firm Relay42 back in June 2017, who reckoned that their firms were completely ready? Or, do you empathise more with the 90 per cent of businesses surveyed by law firm Blake Morgan in September 2017, who said they had still to update their privacy policies?

    Either way, GDPR means work – lots of work – for all financial services firms, and keeping track of all the different elements probably feels like keeping lots of plates spinning at the same time; you can’t afford to let any of them drop and smash, because that would potentially mean a hefty fine.

    This is where the risk arises. There are a number of big-hitting changes that GDPR  is introducing. Take your pick from the following:

    • The need to construct a data inventory for all processing activities; AdobeStock_175453846_8x5.jpg
    • Changes needed to the consent regime for processing data;
    • The need to appoint a Data Protection Officer;
    • Revisions to procedures for dealing with subject access requests;
    • The need to notify breaches to the relevant authority within 72 hours; and
    • The need to review the procedures operated by any third party who processes data on your behalf, involving privacy impact assessments for existing and new third party arrangements.

    Bringing all this together in time for May 2018 is an onerous task for any firm - despite the confidence displayed by some.

    Caution pays

    However, there’s one element of GDPR in particular that’s potentially tricky to implement – and could trap the unwary. It’s the right to be forgotten (or the right to erasure as it’s also known). This effectively hands a significant amount of power to data subjects to request that data controllers erase all personal data in whatever form held (whether electronic or otherwise). To make matters worse, this erasure has to take place without any undue delay – so no pressure, then!

    The problem here is that the Devil’s in the detail. There are conditions laid down in GDPR which mean that this right to have data wiped is not without restrictions. The two most important ones for financial services firms are where compliance with legal obligations is required and where legal claims have to be defended.

    This requirement isn’t going to be as easy to meet as originally thought. And the complexity of financial products to which customers’ personal data is linked just makes it worse.

    Take insurance policies for instance. A customer comes to you and asks for his data to be removed from a joint life policy which lapsed several years ago. Simple, you might think. But what do you do about the data that relates to the other policyholder? How do you separate this out? If the data is still within a period that wouldn’t be considered to be excessive, you can’t automatically wipe that as well.

    And then, what about pension transfers? You mustn’t forget the regulatory requirement to retain records relating to suitability assessments for an indefinite period. Does that constitute a defence for retaining the data under GDPR? If so, how do you explain to customers that you can’t fulfil their request?

    how prepared is your firm for gdprAnd it’s not simple for investment firms either. What about data relating to the ongoing relationships with discretionary fund managers or intermediaries?

    Also, what if information is requested by law enforcement agencies, or other statutory bodies?

    The whole thing starts to look a bit like a minefield.

    So, what’s the solution? The most important thing all firms must do is to make sure they understand their products and services, and in particular, the personal data they hold in each of these cases. Then these should be mapped or recorded in some way, and in each instance, a decision will need to be made about whether personal data can or can’t be erased in each circumstance.

    Firms will then need to understand what processes they need to put in place in order to identify the relevant data that can be erased and then to make sure that the data is fully erased so no trace remains on any records. Remember, there’s a risk of a pretty significant fine at stake here, up to the greater of 4 per cent of global turnover or 20million EUR, so these processes must be right.

    Then there’s the question of dealing with the customer – how do you explain to him or her that their request to erase the personal data you hold can’t be granted? Are your servicing teams going to be comfortable saying no to what could possibly be a disgruntled individual on the end of a phone or email?

    Work to do

    The right to erasure of personal data is a powerful right for data subjects – but there’ll be a number of legitimate circumstances where firms cannot and should not agree to such requests. Businesses have legal and regulatory requirements they need to continue complying with, and these will sometimes mean keeping hold of certain pieces of data for longer than the data subject would like.

    Before any work on data and procedures takes place, everybody who’ll be involved in processing data needs to have a good understanding of the requirements of the regulations. Training is an area where corners can’t be cut – not just on the right to erasure but on all of GDPR’s requirements.

    Remember – whether you’re confident of your readiness or not to comply with GDPR, time is short!

    Leave a comment


    eBook: Essential Uncovered

    Skillcast Essentials is our best-selling library and there's a reason for that. Essentials library provides comprehensive coverage of the key compliance / conduct issues that companies in the UK face today.

    Request now

    How to use storytelling in compliance training for maximum impact

    Stories help us to connect with people and the world around us. They have the power to  engage us in a way simple narratives just can't. And we remember stories. I'll bet you still remember your ...

    Read More
    5 ways to fire up a culture of compliance

    Any company's biggest risk to attaining and maintaining full compliance with laws and regulations is the conduct of its people - we call this the people dimension of compliance. And against this ...

    Read More
    6 traits of effective compliance officers

    Protecting the ethical integrity of a company is the heart of the compliance officer’s role. And as regulators continue to clamp down on misconduct with higher fines, compliance officers are under ...

    Read More
    New infographic reveals a lack of transparency about political engagements

    Nearly three quarters of companies are failing to disclose how they engage with politicians, according to a new report by Transparency International UK. The 2018 Corporate Political Engagement Index ...

    Read More