Evolution or revolution? The experts’ view on GDPR (part 2)
The second in our two-part report on the WDX GDPR roundtable looks at the experts’ view on the scope of this far-reaching regulation and the best ways of instilling this in house. The panel comprised GDPR experts from EY, PIMFA (The Personal Investment Management and Financial Advice Association) and the IRTA (International RegTech Association). Here is their insight.
In just over a month, General Data Protection Regulation (GDPR) comes into force, but the panel members’ on-going discussions with financial services firms have confirmed that many are lagging somewhat behind in their preparations. They have also indicated an industry-wide lack of process to support the on-going deletion of data prior to the regulation, pointing to the need for a clear change in attitude for the objectives behind GDPR to come into play.
GDPR needs to be considered in tandem with other regulations, but unlike the developments that have assumed the industry’s focus of late, this is a cross-industry regime that applies to all sectors. The regulation raises questions around best practice for the archiving of data in an unfortunate situation where a customer is off-boarded, particularly considering the apparent conflict with data retention imposed by other regulations. Ian Cornwall, Director of Regulation at PIMFA said that for many, this requires a change in mind-set, similar to the clean desk policy. PIMFA’s advice for firms questioning how they should store such data is to archive it separately from CRM insight so that it sits outside day-to-day processing but is accessible if required.
The panel agreed that whilst financial services as an industry has, at least of late, been on the receiving end of more regulatory change than other sectors, this in fact could prove to be something of a blessing when it comes to meeting the challenges posed by GDPR. It was discussed that all regulated firms should have operational risk frameworks in place – these outline risk and mandate the number of controls needed to manage this risk – the same applies for privacy. These firms have a good head start.
As an industry that has shifted its focus to the consumer, many front office teams in financial services are viewing GDPR as an opportunity to enhance their client servicing capabilities. However, GDPR ripples through the full breadth of an organisation, including HR and third parties. The panel considered how businesses are repositioning themselves to meet the GDPR requirements, and noted that while many businesses have deemed the COO responsible, there is a clear emergence of the Head of Information Security role within many firms – a hybrid between compliance and security and the technology and information perspective required to bring this to life.
Regardless of whether they have the scale to warrant this, the panel agreed that firms should nominate data champions who ensure responsibility is devolved across the breadth of their organisation. But there is a clear need for guidance in many quarters. One delegate said, “Data management and data strategy are new and overlooked skills. We have policies in place to deal with these but there’s a need to re-educate and reinforce a real change in business, the way we have seen with TCF (Treat Customers Fairly).”
And with the International Association of Privacy Professionals estimating a 75,000-strong shortfall of experts qualified to support firms with GDPR within Europe, the stakes are high as we venture into this new territory.
The delegates, who represented a number of wealth and investment management firms, agreed that full business engagement is key to GDPR readiness. One recounted the impact a senior working group – with full business representation, from operations to client services – had on his organisation, ensuring accountability, engagement and effective data mapping.
WDX recommended a two-tier approach to implementation. As Johnny Beloe, Senior Product Consultant at WDX explained, “As many firms look up from implementing MiFID II within their businesses, the challenge is to understand what is required, and what is practical between now and May. After that, firms must focus on the aspects that emerge in the course of practice where legal precedents will provide much needed clarification to a regulation that, in parts, could be considered dangerously open to interpretation.”
It was suggested that firms use this approach to drive more efficiencies. Every time we have new regulation, the industry runs around in circles – we have seen a massive wave on resilience, security and now privacy. Organisations should focus on embedding GDPR into business as usual, then take stock and leverage the insights provided through this and wider regulation to stand them in good stead for future developments.
The industry has a tendency to rely on the regulator for support in dealing with compliance matters, but GDPR has forced firms to take a much more proactive approach, it was pointed out that across the board, firms are communicating with their customers and updating them on their approach to data. Over time, almost by osmosis, consumers are more conscious of data, its usage and implications and their rights. We are all becoming more vigilant so we have higher expectations of what firms should do with our information.
Richard Maton, Head of Strategic Initiatives at the IRTA agreed, “It is about the consumer and how they respond – suddenly everyone is aware of their rights. We have seen a shift, whether it has been driven by regulators or consumers. Traditionally, the regulators have taken the approach that if firms have a planned and documented process, they are comfortable. However the dynamics are different here due to the unknowns around the customer.”
So, how will the regulators govern such an ambiguous and largely unknown entity? It is all about transparency and instilling the right processes for the long term, said Giulia Lupato, Senior Policy Advisor at PIMFA. “When you make a decision, record it. Show the thinking that got you there to demonstrate how your business is managing data.”
The roundtable provided varying perspectives on this impending regulation, but the over-riding view of the panel was clear – where GDPR presents ambiguities, common sense must prevail if businesses are going to act in their clients’ interests. As EY summarised, it is not just about what data firms capture from the outset, but what they do with it once they’ve captured this. So, while GDPR may be about evolution rather than revolution, it is clear that this evolution will continue well beyond May 2018.
Please click here to download our GDPR brochure.