Given that GDPR is set to come into force in the not-too-distant future, on 25 May, adviser firms should be well aware by now of the main challenges in implementing it.
So does it follow that bigger firms which hold larger volumes of client data will have more of a challenge working out how to store it and in getting consent from clients?
Linda Gibson, director of regulatory change and compliance risk at BNY Mellon’s Pershing, believes preparing for GDPR could present as much of a challenge for smaller businesses.
“It could be challenging for both small firms, who might not have systems in place to automate many of the new requirements, and for larger firms, who will need to review data processing activities and system applications that store quantities of data to ensure compliance,” she notes.
David Marchese, a consultant at Gordon Dadds, agrees: “It’s not necessarily the size of firm that counts; it’s more how many different systems you use, and how easily you can trace items of data that may relate to a particular individual.”
The biggest challenge then, regardless of size, is understanding exactly what data is already held by the firm and figuring out how to store it in line with GDPR.
He warns: “If you don’t know what personal data you are storing and using, where it came from, on what basis it was obtained, what is it used for, how accurate it is, and so on, you will have a task in implementing the GDPR.
“And then you will need to know whether you will be able to correct or delete incorrect data, and record your processing activities.”
He confirms the starting point is an internal audit.
Physical and digital
The important aspect to note is GDPR applies not only to digitally held data but also physically held information on clients and customers.
For this reason, Scott Bancroft, principal consultant on cybersecurity at Capco, reiterates: “Firms can’t avoid the legacy data iceberg which must now have GDPR compliant consent and firms will need to get rid of the old data that has avoided data housekeeping for a long time.”
He confirms that cataloging the physical and digital data to know what data is held, where it is kept, how it is used and where it goes is no trivial exercise.
“This could be a lengthy exercise to complete and needs to be managed, for more complex organisations, as a GDPR implementation project,” advises Steve Snaith, technology risk assurance partner at RSM.
One of the challenges firms will face if they fail to comply with GDPR is some hefty fines and penalties.
“In the event of a breach that causes potential damage/harm to either personal or financial data,” explains Mark Greenwood, regulatory policy manager at The SimplyBiz Group, “a data controller must notify the Information Commissioner’s Office [ICO] ‘without undue delay’ – generally taken to be 72 hours.”