The introduction of the General Data Protection Regulation (GDPR) in the UK in May 2018 will mark an important juncture in the handling and processing of personal data by all firms, not just those in the financial services sector. For many UK-based financial businesses operating across borders, this piece of regulation heralds a move towards a more consistent way of looking at personal data handling and protection.
At a top level, the regulation is designed to ensure all personal data will be processed lawfully and fairly, in a protected way, and may only be collected for specific and legitimate purposes. There will also be an obligation to appoint a data protection officer who will be responsible for demonstrating the company complies with the principles of GDPR.
In the past, data protection has been implemented in a very piecemeal fashion across Europe. It is hoped that regulation like GDPR will fix this imbalance and there is a feeling within the industry that it is a necessary move.
The question that needs to be asked, however, is how many firms are still not ready for it?
With negotiations to leave the European Union now underway, and despite this being a regulation originating from the corridors of Brussels, the Government has confirmed it will not prevent nor reverse the commencement of GDPR in the UK. As a result, firms must not bury their heads in the sand and think this issue is going to disappear or simply resolve itself.
There is still time
Ensuring a business gets compliant with GDPR can involve a lot of time and resources; nonetheless, it is manageable within the timescales provided for deployment. For businesses at the beginning of their GDPR journey, what is needed first is awareness amongst high level C-suite executives.
In fact, the Information Commissioner’s Office (ICO) set this out as the first step to becoming GDPR compliant. If you get senior buy in, then the impact of the regulation is more likely to lead to required change once assessed.
However, there are some out there that still consider GDPR a moving target. You might not be able to blame them either, as there are still a number of unanswered questions surrounding the new regulations. While there are many consultancies that are providing GDPR-specific advice, there are a number of firms, particularly in the legal sector, that will not land on guidance on the impact while there is still the potential for further guidance from the ICO and further development of relevant policy.
Nevertheless, it is important that companies start to look inwards at their personal data as early a stage as possible. GDPR is not necessarily a huge task for any financial company to abide by, but it does need a thorough and comprehensive plan. If anything, this can be viewed as a big opportunity to clean up existing personal data. By taking this opportunity to remove and scrub client/prospect lists, or at least check their accuracy, there is the potential to make savings on processing costs and improve the quality of personal data held.
Technology is no excuse
Tidying up legacy lists of personal data can be problematic for firms that are impeded by old, cumbersome technology or legacy systems. But come May 2018, it will no longer be acceptable for firms to rely on their technology limitations as an excuse for not being able to delete or access records, or as a reason not to produce such data.
As a result, with less than a year to go to ensure compliance is met, now should not be the time to be in the nascent stages of GDPR strategy. Yes, it is still a moving target and much is to be finalised, but there is also plenty that is certain and no doubt that early investment in understanding the personal data held will make the solution stage more achievable by the target date of May.