Data protection 

Challenges and opportunities with new data laws

This article is part of
Guide to regulatory changes

Challenges and opportunities with new data laws

So how have firms been responding to the changes brought about by the General Data Protection Regulation (GDPR)?

According to regulation experts it has been a bit of a mixed bag, but firms on the whole have struggled to incorporate the changes into their processes while managing their day-to-day business.

A report issued in July 2018 by Dimensional Research, found that only 20 per cent of global companies surveyed believe they are GDPR compliant, while 53 per cent are in the implementation phase and 27 per cent have not yet started their implementation.

EU (excluding UK) companies are further along, with 27 per cent reporting they are compliant, versus 12 per cent in the US and 21 per cent in the UK.

David Varney, lawyer at Burges Salmon, says: “A lot of our clients in the financial sector have come to us with varying degrees of readiness. GDPR was agreed in November 2016.

“We had a few waves of clients towards the end of last year. Some people came to us who had thought about their own measures. They wanted us to look over their GDPR plans and think about any plans or shortfalls that needed to be addressed.

“When the clock kicked over to 2018, we had a second peak of work from clients in January and February and a last-minute rush in April/May from people who came to us for advice.”

GDPR dictates how to maintain data about people, so financial firms have had various concerns over dealing with retail customers and employees.

Burges Salmon has advised on a few reported data breaches. It has also helped organisations that have received requests from customers and employees, seeking their rights under GDPR to access their data or for it to be forgotten.

Mr Varney says: “GDPR has required most people to up their privacy policies and notices. There are also requirements on organisations that use sub-contractors. They have to make sure the contracts covering those relationships are GDPR compliant.”

Mr Varney adds that most organisations are at a stage where they are GDPR compliant or on the road to being compliant, but are not yet fully there.

The Information Commissioner's Office (ICO), which enforces the regulation, has said GDPR compliance is a journey.

That said, Elizabeth Denham, information commissioner at the ICO, clarified there will be no ‘grace’ period – as firms have had two years to prepare.

But she added the ICO prides itself on being a fair and proportionate regulator and this will continue under the GDPR.

At financial services regulatory consultancy Bovill, Umar Mohamad who is a consultant says, with clients he has dealt with a lot of them have struggled with the amount of work that needs to take place to be able to evidence compliance.