In our latest blog on GDPR, we’ve asked qualified professionals their opinion on GDPR and how this trailblazing European regulation is affecting financial services today and will continue to influence global data processing for many years to come.
This blog isn’t designed as an exhaustive guide in interpreting evolving GDPR regulation. It is instead intended to act as a timely reminder that as more jurisdictions emulate the structure of GDPR, the focus on our industry to get data protection right – first time – has never been more acute.
Was GDPR a ‘flash in the pan?’
In short: No.
GDPR was shrouded in mystery and hyperbole not seen since the ‘millennium bug’, however on this occasion almost every business was required to assess, update and consider a long-term data protection strategy. While almost all businesses already looked after their data, many hadn’t assessed the risks within their existing processes and couldn’t imagine a situation that would lead them to censure or fine.
From a consumer perspective, there were public information commercials, myriad emails from long-lost suppliers suggesting you would “never hear from them again”, -and a narrative suggesting that huge fines will be the order of the day for all firms not adhering to the rules. This even led to a brief flurry of legal firms offering ‘no win – no fee’ opportunities to people harmed by firms flouting their data rights.
Almost two years on, the hype has almost entirely disappeared, but financial services firms need to consider that the regulators haven’t become distracted by other geo-political matters – there’s much going on behind the scenes that will almost certainly result in high profile fines and reputational risk for the firms involved.
What GDPR managed to achieve was to make the world more aware of just how much data we share, and how (some) firms misuse this implied trust to re-market, sell-to or pinpoint us for behavioural marketing. Whether it’s the Californian CCPA or GDPR derivatives in Brazil, South Africa, Japan and India, the world is awakening to a broader scope of data protection regulation: and tech firms are worried!
Interpretation of GDPR in Europe
We’ve uncovered many inconsistencies in the way that GDPR is interpreted in Europe. For example, in Portugal, certain aspects of GDPR have been ‘gold plated’ in law, however in Germany the bar has been set lower. In Luxembourg, Data Protection Officers usually require a legal qualification, whereas in Gibraltar there is no requirement to appoint a DPO.
These inconsistencies mean that financial services firms, especially those that trade across Europe and across frontiers (especially post-Brexit) need to consider GDPR in all jurisdictions. This is especially the case for those whose information commissioners have considerable rights to remotely interrogate data movements, and who have constructed their field teams to make randomised visits to physical sites in their country.
A Culture of Compliance?
As you will have seen in our earlier blogs and white papers, at ComplySci we talk a lot about helping our clients develop a culture of compliance within their firms. Without an ‘open door’ policy and an environment where critical thinking exists, there can be no effective compliance culture throughout a complex financial services operation.
In the last few months, we’ve heard GDPR compliance discussed in the past tense – – “We threw a couple of million behind it and we’re now OK”. But this is not the way to embed GDPR.
GDPR, as with all compliance activities, needs to be considered by every team, not just those working in risk, compliance or ethics functions. The requirement to understand the key pillars of GDPR – Data Controllers and Data Processors – remains crucial. The appointment of a Data Protection Officer (whilst not always an imperative) is strongly recommended.
Due to the complex nature of our industry and the data assets we use, protecting those assets is a key challenge for every firm. The possible fiscal and reputational damage of a breach is significant, and how any emerging incident is identified, managed, reported and mitigated could have long-lasting implications for your brand.
A reminder of GDPR key facets for your firm
While the UK Government is assessing the future regulatory framework during the post Brexit ‘transitional period’, the UK and Europe remains focused on complying with GDPR.
Each financial services firm will have differing GDPR challenges, although many banks have reported that deleting and amending data across multiple legacy platforms is a recurring issue. Other firms have noticed that compliance activities have merged, leading to the embedding of GDPR into the decision-making process and therefore raising its profile at board level.
Whatever the size of your company, benchmarking your processes and procedures for each of the following categories will help you maintain compliance or assist with the creation of strategies for embedding a compliance culture:
- Understanding Data Provisions – where data is held, processed and used by Controllers and Processors within your firm. Consider how long it’s held and how it’s maintained.
- Marketing – bespoke privacy policies are crucial and need to explicitly confirm how and why your firm processes and controls data. Ensure consent is received before undertaking activities and file authorisation to hold or process special category data.
- Training, Coaching and Culture – ensure that GDPR (as with all compliance activities) becomes cultural. At onboarding as well as throughout the review cycle, ensure GDPR is on the radar for all employees and contractors.
- Contractors – if you use third party agencies for managing or processing data, you are responsible for their compliance. Keep a checklist and file details of all service providers.
- International movements of data – ensuring that data movements are safe and secure is fundamental. Consider how Cloud storage may affect compliance and understand data flows which may place your data outside of your own jurisdiction. Ensure that these offer an appropriate level of protection.
- Reporting Procedure – every firm should consider their internal process to handling a breach and how official reporting will be undertaken.
Whilst the hype around GDPR has subsided, the GDPR regulations are very much alive and well, and its protocols are now firmly embedded in financial services firms’ daily activities.
ComplySci recognises the importance of GDPR and data privacy compliance, in general, as it applies to our operations and those of our global clients. As new information becomes available and regulations evolve, we may update this blog to stay current.
As some institutions have found, legacy systems or manual processes continue to pose a compliance challenge for many firms. ComplySci is designed to streamline workflow, reduce the potential for human error, and support a compliance culture within firms of all sizes.
ComplySci is here to help. Contact us for a live demo.