It’s been nearly four months since Mifid II came into force, bringing new regulations to bear on firms working in the financial services sector.
In less than one month’s time financial services companies, along with the rest of the UK, has to deal with the advent of another, equally onerous, piece of regulation: General Data Protection Regulation (GDPR).
Much has already been written about the extent to which organisations are ready to deal with GDPR. With just a few weeks to go until the May 25th implementation date, there is evidence to suggest that a large number of organisations remain blasé and ill-prepared for the requirements ahead.
Even for the many companies who have invested time in understanding the machinations of GDPR, the reality of life after 25th of May is only starting to sink in.
Amongst many in the corporate world, there is a burgeoning realization that the new rights afforded to data subjects are open to considerable abuse.
Under the new GDPR regulation, any EU citizen will be able to request from a company all the data that is being held about that individual.
At present, most companies hold data in disparate databases. Some use outdated email archives to turn all electronic communications into email for storage purposes, while others just take snapshots of social media exchanges.
Searching for a named person and their associated online identities will involve not just one search but several, possibly tens of searches, to ensure every piece of information is found, right down to a direct message (DM) sent over Twitter.
Even once all the searches are complete it still needs to be correlated to either send to the person and/or determined whether or not it can be deleted, or if indeed another regulation overrules GDPR.
For each request, a company will need to invest a significant amount of time sourcing this data. Failure to respond within 30 days will result in a financial penalty of 4 per cent of revenue or a maximum of €20 million.
Those who are experienced in the world of corporate crises may see the potential for this to be used as an additional weapon by activist stakeholders looking to reprise an organisation.
A sufficiently motivated group will now be able to cause significant financial damage to an organisation through waves of data requests.
Take the recent challenges faced by Facebook and Cambridge Analytica as an example.
Facebook has suffered severe reputational and financial consequences on the back of its failure to meet its users’ desired standard of data protection. Its share price fell as a lack of confidence in the handling of the situation began to worry shareholders.
Perhaps the most publically damaging consequence was the #DeleteFacebook campaign. Launched by activist stakeholders, the campaign resulted in half a million people publically stating that they should delete their Facebook profile.