How prepared is your firm for GDPR?
The deadline for implementation of GDPR is fast approaching - 25th May 2018 to be exact. So, how do you think your firm's preparations are going?
Are you like virtually all of the marketing directors surveyed by data management firm Relay42 back in June 2017, who reckoned that their firms were completely ready? Or, do you empathise more with the 90 per cent of businesses surveyed by law firm Blake Morgan in September 2017, who said they had still to update their privacy policies?
Either way, GDPR means work – lots of work – for all financial services firms, and keeping track of all the different elements probably feels like keeping lots of plates spinning at the same time; you can’t afford to let any of them drop and smash, because that would potentially mean a hefty fine.
This is where the risk arises. There are a number of big-hitting changes that GDPR is introducing. Take your pick from the following:
- The need to construct a data inventory for all processing activities;
- Changes needed to the consent regime for processing data;
- The need to appoint a Data Protection Officer;
- Revisions to procedures for dealing with subject access requests;
- The need to notify breaches to the relevant authority within 72 hours; and
- The need to review the procedures operated by any third party who processes data on your behalf, involving privacy impact assessments for existing and new third party arrangements.
Bringing all this together in time for May 2018 is an onerous task for any firm - despite the confidence displayed by some.
However, there’s one element of GDPR in particular that’s potentially tricky to implement – and could trap the unwary. It’s the right to be forgotten (or the right to erasure as it’s also known). This effectively hands a significant amount of power to data subjects to request that data controllers erase all personal data in whatever form held (whether electronic or otherwise). To make matters worse, this erasure has to take place without any undue delay – so no pressure, then!
The problem here is that the Devil’s in the detail. There are conditions laid down in GDPR which mean that this right to have data wiped is not without restrictions. The two most important ones for financial services firms are where compliance with legal obligations is required and where legal claims have to be defended.
This requirement isn’t going to be as easy to meet as originally thought. And the complexity of financial products to which customers’ personal data is linked just makes it worse.
Take insurance policies for instance. A customer comes to you and asks for his data to be removed from a joint life policy which lapsed several years ago. Simple, you might think. But what do you do about the data that relates to the other policyholder? How do you separate this out? If the data is still within a period that wouldn’t be considered to be excessive, you can’t automatically wipe that as well.
And then, what about pension transfers? You mustn’t forget the regulatory requirement to retain records relating to suitability assessments for an indefinite period. Does that constitute a defence for retaining the data under GDPR? If so, how do you explain to customers that you can’t fulfil their request?
And it’s not simple for investment firms either. What about data relating to the ongoing relationships with discretionary fund managers or intermediaries?
Also, what if information is requested by law enforcement agencies, or other statutory bodies?
The whole thing starts to look a bit like a minefield.
So, what’s the solution? The most important thing all firms must do is to make sure they understand their products and services, and in particular, the personal data they hold in each of these cases. Then these should be mapped or recorded in some way, and in each instance, a decision will need to be made about whether personal data can or can’t be erased in each circumstance.
Firms will then need to understand what processes they need to put in place in order to identify the relevant data that can be erased and then to make sure that the data is fully erased so no trace remains on any records. Remember, there’s a risk of a pretty significant fine at stake here, up to the greater of 4 per cent of global turnover or 20million EUR, so these processes must be right.
Then there’s the question of dealing with the customer – how do you explain to him or her that their request to erase the personal data you hold can’t be granted? Are your servicing teams going to be comfortable saying no to what could possibly be a disgruntled individual on the end of a phone or email?
Work to do
The right to erasure of personal data is a powerful right for data subjects – but there’ll be a number of legitimate circumstances where firms cannot and should not agree to such requests. Businesses have legal and regulatory requirements they need to continue complying with, and these will sometimes mean keeping hold of certain pieces of data for longer than the data subject would like.
Before any work on data and procedures takes place, everybody who’ll be involved in processing data needs to have a good understanding of the requirements of the regulations. Training is an area where corners can’t be cut – not just on the right to erasure but on all of GDPR’s requirements.
Remember – whether you’re confident of your readiness or not to comply with GDPR, time is short!