What challenges does implementation bring?

So does it follow that bigger firms which hold larger volumes of client data will have more of a challenge working out how to store it and in getting consent from clients?

Linda Gibson, director of regulatory change and compliance risk at BNY Mellon’s Pershing, believes preparing for GDPR could present as much of a challenge for smaller businesses.

“It could be challenging for both small firms, who might not have systems in place to automate many of the new requirements, and for larger firms, who will need to review data processing activities and system applications that store quantities of data to ensure compliance,” she notes.

David Marchese, a consultant at Gordon Dadds, agrees: “It’s not necessarily the size of firm that counts; it’s more how many different systems you use, and how easily you can trace items of data that may relate to a particular individual.”

Firms can’t avoid the legacy data iceberg which must now have GDPR-compliant consent and firms will need to get rid of the old data that has avoided data housekeeping for a long time.Scott Bancroft

The biggest challenge then, regardless of size, is understanding exactly what data is already held by the firm and figuring out how to store it in line with GDPR.

He warns: “If you don’t know what personal data you are storing and using, where it came from, on what basis it was obtained, what is it used for, how accurate it is, and so on, you will have a task in implementing the GDPR.

“And then you will need to know whether you will be able to correct or delete incorrect data, and record your processing activities.”

He confirms the starting point is an internal audit.

Physical and digital

The important aspect to note is GDPR applies not only to digitally held data but also physically held information on clients and customers.

For this reason, Scott Bancroft, principal consultant on cybersecurity at Capco, reiterates: “Firms can’t avoid the legacy data iceberg which must now have GDPR compliant consent and firms will need to get rid of the old data that has avoided data housekeeping for a long time.”

He confirms that cataloging the physical and digital data to know what data is held, where it is kept, how it is used and where it goes is no trivial exercise.

“This could be a lengthy exercise to complete and needs to be managed, for more complex organisations, as a GDPR implementation project,” advises Steve Snaith, technology risk assurance partner at RSM.

One of the challenges firms will face if they fail to comply with GDPR is some hefty fines and penalties.

“In the event of a breach that causes potential damage/harm to either personal or financial data,” explains Mark Greenwood, regulatory policy manager at The SimplyBiz Group, “a data controller must notify the Information Commissioner’s Office [ICO] ‘without undue delay’ – generally taken to be 72 hours.”

Firms will need to give reasons for a delay in reporting a data breach.

A new system of sanctions will be introduced by the ICO under GDPR, which means there are two tiers of fine for breaches of the legislation, as Mr Greenwood outlines:

• For more severe breaches, a fine of (the greater of) 4 per cent of annual turnover or €20m can be applied.
• For less severe breaches a fine of (the greater of) 2 per cent of annual turnover or €10m can be applied.

“Maximum penalties for non-compliance make for attention grabbing headlines, but in reality, any penalty will be pitched at a level which reflects the degree of distress or harm which an incidence of personal data loss, accident or theft creates to natural persons, and how widespread the adversity becomes,” points out Mark Ehlinger, head of regulatory and professionalism services at Focus Solutions.

Giulia Lupato, senior policy adviser at the Personal Investment Management and Financial Advice Association (Pimfa), assures adviser firms the ICO will not “come down like a brick onto organisations for minor breaches as soon as the rules are in place”.

“Serious impact, wilful breach, repeated breaches, gross negligence, overly intrusive/abusive approaches are the serious offences that the ICO will mostly look to sanction,” she explains.

“It is worth noting that fines are only one of the many tools available to the ICO. There is an array of measures available including compulsory audits, reprimands, warnings and bans.”

Firm but fair

But at a conference organised by Pimfa in March, advisers were warned not to assume that the biggest fines will be handed out by the regulator for massive data breaches.

Duc Tran, a senior associate at law firm Herbert Smith Freehills, told delegates: "If you have done mass spam marketing to clients that are not expecting it, it will be a breach of any one of articles five, six, seven and nine of GDPR and will be tier one.

"It is not just huge scale data breaches that attract huge fines. It is errors and lapses in the ordinary course of business that can attract the highest level of fines from the ICO."

Virginia Chinda-Coutts, group director of data protection at DST Systems, cautions that in a worst-case scenario, the ICO can stop an organisation from processing personal data but she also called the ICO a "fair and pragmatic" regulator.

She confirms the fines are not a red herring and that while there was no "clear definition of what significant means" in terms of a breach, any incidence of financial loss or distress "is the bar" for the ICO.

Rob Walton agrees the ICO has made it clear it is not in the business of putting companies out of business but he does raise one potential looming issue.

"The biggest risk to firms is in Article 82 of the GDPR, a.k.a ‘The ambulance chasing’ article," he says. "Article 82 makes it possible for data subjects to sue firms for any breach of their rights under the GDPR, even if it does not cause a material loss.

"We could be about to see the next ‘no win, no fee’ industry."

Forgetting clients

One part of GDPR that may be particularly hard for firms to navigate effectively is a client’s right to erasure - or right to be forgotten, as it is commonly referred to.

Mr Greenwood admits: “The right to erasure is a fundamental part of GDPR – one seen as a challenge by firms – whereby a client can request that they are deleted from a firm’s records. 

“This should be put into context, with the firm able to retain the client data where the data is required to comply with legal requirements or may be required to defend a future legal claim.”

The rights of individuals under GDPR

Source: Brooks Macdonald

For many adviser firms, handling data related to the children of clients is an additional layer of complexity.

Brooks Macdonald’s business development director, Andrew Denham-Davis, suggests advisers will need to consider the personal data they hold on behalf of their clients’ children. 

“This will be particularly important for those whose clients span multiple generations,” he adds.

GDPR is not a case of a company getting all its data into place by the 25 May and then carrying on as before.

The ICO will expect businesses to continue to comply with the legislation.

So one of the other challenges will be keeping on top of GDPR as an ongoing concern and not letting data standards slip.

“It is important to note that compliance/implementing the rules does not stop in May 2018,” Jon Szehofner, founding partner at GD Financial Markets, says.

“The policies and processes required to comply with GDPR on an ongoing basis will need to become part of a firm’s DNA.”

eleanor.duncan@ft.com