News by sections
ESG

News by region
Issue archives
Archive section
Multimedia
Videos
Search site
Features
Interviews
Country profiles
Generic business image for news article Image: Shutterstock

25 May 2018
London
Reporter Jenna Lomax

Share this article





GDPR goes live

The General Data Protection Regulation (GDPR) has now gone live as a part of EU legislation.

The new rules, which kick in today (25 May), cover how organisations process personal data and extend to the activities of non-EU organisations that offer goods or services to people located in the EU. A failure to comply can lead to fines of up to 4 percent of annual turnover.

In recent months, firms have been preparing for the implementation of the initiative, but over that time, many industry participants have raised concerns about the scope of the changes, with many suggesting it has been the biggest challenge of the year.

Alexander Dorfmann, director product management at SIX, said: “2018 will be the year where the compliance focus shifts from data consistency, to data quality.”

“Expect firms to be putting the pressure on market data vendors to provide one really strong source of information.”

Wendy Phillis, managing director of governance and regulatory solutions at RBC I&TS explained these pressures elsewhere in the industry. She warned to avoid regulatory fines, asset managers, in particular “will need to have explicit consent to collect and use data.”

She added: “Possibly the most challenging aspect of GDPR is the ‘right to be forgotten’, which gives any individual the right to demand that a firm deletes all data relating to them. Personal data is often held across a range of systems; therefore deleting it from all of these sources may prove difficult.”

Just one month until implementation, a Cordium and AmberGate survey found more than 50 percent of investment firms asked said they were unlikely to be ready for GDPR.

Only 2 percent of surveyed firms had finished putting GDPR policies and procedures in place, while 59 percent of firms said they were unprepared to comply with the required 72-hour window to report a personal breach to regulators.

A further 64 percent said they were unprepared to respond to an exercise of data subject rights.

More recently, Michael Corcione, head of cyber security and data protection at Cordium said: “Compliance with this regulation is going to be an ongoing process that will need to evolve as the firm’s business changes, and as the external threat environment metamorphosis. It’s likely that regulation in this area will not stand still, either.”

He advised: “Firms need to create a data protection culture. Many firms have conducted GDPR training so far as a box ticking exercise which will not be effective beyond the very short term. Organisations need to provide ongoing micro-training for all employees rather than simply rely on annual based training.”

“In order to create real cultural change, those at the top of an investment firm also need to understand how the regulation impacts their business, potential risks that it creates, and what questions they need to be asking of all three lines of defence as part of their governance role.”

But how much have things changed since Cordium and AmberGate’s survey was released in April? And how have other recent regulations, such as the second Markets in Financial Instruments Directive (MiFID II) helped the industry to prepare for GDPR?

Mack Gill, COO at Torstone Technology, said: “In January, MiFID II introduced a host of new requirements pertinent to data storage and management, and many firms have initially been concerned about ensuring compliance with these requirements.”

“The challenge now is to navigate the balance between affording people’s rights under GDPR, while also satisfying regulatory reporting requirements under MiFID II.”

He added: “GDPR is a huge obligation for any organisation and results from the increasing deluge of data processed by technology, especially in financial services. New regulatory deadlines and the related challenges are the very nature of our industry right now so it’s interesting to see who views it as an opportunity rather than as yet another burden.”

Further, Phyllis predicts the positivity the regulation could bring. She said: “In essence, GDPR is a regulation that improves transparency and protects the end investor which is a good thing as it should drive more business to regulated firms and increase the safety of the entire industry.”

Martin Schofield, director of financial crime at RFS, said today is just the beginning. He said: “Today’s implementation deadline is unlikely to be the last we hear of data breaches and some have asked if the new regulation is a case of ‘too much too late’?”

However, he stated: “If nothing else, the introduction of the GDPR will continue to highlight the need for appropriate policies, procedures and training and should encourage firms to educate their staff in the importance of data protection. Whatever happens, GDPR is an important step in ensuring that data protection is no longer seen as the poor relation of compliance.”

Advertisement
Get in touch
News
More sections
Black Knight Media