Latest News

How GDPR will Affect Financial Firms (And How to Prepare)


3rd March 2018

As the GDPR and the 25th May 2018 edge ever closer, business across Europe are becoming increasingly concerned on the toll, the new regulation will take on their operations. The GDPR will seek to allow EU citizens and data subjects to have greater control over how their data is kept and the option to have their data erased on demand. Yet many companies have remained sluggish to adapt to the incoming legislation. In June earlier this year it was announced that 61 percent of companies hadn’t begun preparation for GDPR compliance.

One of the main reasons for this has been uncertainty over the cross-industry effect of the GDPR, and how various sectors will be affected by increasing data control regulations. The financial services industry in particular will be under great pressure to comply with the GDPR regulations. Businesses in the financial services industry, all the way from private equity firms, to hedge funds, IFA’s and traders deal heavily with valuable personal data, and will be made an example of if they fail to comply adequately with the legislation.

How the GDPR will Impact the Financial Services Market

One of the main problems raised by the GDPR is the right to be forgotten. The GDPR gives all data subjects the right to insist that their data is scrubbed from a companies record. In theory this is simple enough but in practice many companies lack the internal processes to be able to navigate through masses of data to delete one individuals record.

Data intensive businesses like private equity firms and hedge funds will need to have tight reign over the personal data of their subjects in order to comply with the GDPR. This data can cover anything from names and addresses, to card numbers, all of which will need to be ready to be discarded on demand. No less concerning is the fact that all of this data will need to be supported by the informed consent of the subject.

Even small boutique finance firms process masses of information on a daily basis, much of which is personal and confidential. On a larger scale, financial institutions such as banks will be closely monitored, and risk a fine of €20 million or 4% of global annual turnover for failing to comply. It’s unlikely that smaller financial firms will receive any slack either.

The entire situation is also complicated due to the fact that financial institutions will have to prove they have legitimate reasons for collecting all the data on their books. Traders and other firms will face serious challenges when it comes to being able to prove that all the data they hold is needed and supported by verifiable consent.

The only long-term approach for smaller financial firms is to implement data protection into the very core of their internal data management process. Any in-house IT services will need to be clearly defined with new internal report processes that track what data is being held. Such processes will make it much easier to find individual records and ensure that data breaches can be identified promptly.

As part and parcel of evolving towards GDPR compliance, staff will need to undergo new training on handling data and ensuring that verifiable consent is being obtained for all data recorded. Depending on the size of the organization, a Data Protection Officer may also need to be appointed. Financial firms looking to make the transition to GDPR compliance need to begin, as far in advance as they can as it will take sometime before the requirements are ready to be met.

How To Prepare

There are four keys to being prepared for the GDPR; allow data subjects to be forgotten, ensure you have a legitimate basis for the data you hold, have the internal processes to be able to respond to data breaches in time and ensure you have consent for all the data you have. Under the GDPR, big banks and smaller financial firms will need all four of these things in order to have broad compliance

In order to implement these four things, businesses need to start preparation as soon as possible. As part of your preparation for the GDPR, it’s important to start an impact assessment and data audit to find out how accessible your data is, and how easily you can access it. If this isn’t clear, then you’ll need to find a process to make your data accessible (Whether this is a matter of procedure, software, staff or all three).

As part of this assessment, it’s important to have an outline of the circulation of information throughout the company, to ascertain how information has been input into the system. Throughout this assessment, any data found to be of little use should be discarded so that’s easier to find more valuable data. Once an assessment has been completed, you’ll be in a much better position to look for weaknesses in your data management strategy and act accordingly. Many financial institutions in particular will also need to appoint a data protection officer to oversee their long term GDPR compliance.

Prepare for the GDPR Early

The overall aim of the GDPR is to make data controllers more accountable for the data they hold. Financial firms that embrace this aim, and attempt to implement internal processes that improve their data management will ensure compliance with the GDPR. Rather than lamenting the coming of the regulation, it makes much more sense to use it as an opportunity to show how seriously you treat consumer data.

So long as you have legitimate reasons for collecting the data you hold, this data is supported by verifiable consent and you have the means to recall and destroy this data on demand, you will be well prepared to work within the confines of the GDPR. Start your preparation as early as possible as it’s going to more difficult to ensure that you’re ready the closer to May 2018 you get.

If you’d like to know more about the GPDR and how your firm can prepare, have a look at our free eBook on https:/ and our specialist GDPR services in Data Discovery, Consultancy, Gap Analysis, IT Security and Network audits.