Challenges and opportunities with new data laws

According to regulation experts it has been a bit of a mixed bag, but firms on the whole have struggled to incorporate the changes into their processes while managing their day-to-day business.

A report issued in July 2018 by Dimensional Research, found that only 20 per cent of global companies surveyed believe they are GDPR compliant, while 53 per cent are in the implementation phase and 27 per cent have not yet started their implementation.

EU (excluding UK) companies are further along, with 27 per cent reporting they are compliant, versus 12 per cent in the US and 21 per cent in the UK.

David Varney, lawyer at Burges Salmon, says: “A lot of our clients in the financial sector have come to us with varying degrees of readiness. GDPR was agreed in November 2016.

“We had a few waves of clients towards the end of last year. Some people came to us who had thought about their own measures. They wanted us to look over their GDPR plans and think about any plans or shortfalls that needed to be addressed.

“When the clock kicked over to 2018, we had a second peak of work from clients in January and February and a last-minute rush in April/May from people who came to us for advice.”

GDPR dictates how to maintain data about people, so financial firms have had various concerns over dealing with retail customers and employees.

Burges Salmon has advised on a few reported data breaches. It has also helped organisations that have received requests from customers and employees, seeking their rights under GDPR to access their data or for it to be forgotten.

They are not realising the amount of effort they would have to go through to be compliant with GDPR.--Umar Mohamad

Mr Varney says: “GDPR has required most people to up their privacy policies and notices. There are also requirements on organisations that use sub-contractors. They have to make sure the contracts covering those relationships are GDPR compliant.”

Mr Varney adds that most organisations are at a stage where they are GDPR compliant or on the road to being compliant, but are not yet fully there.

The Information Commissioner's Office (ICO), which enforces the regulation, has said GDPR compliance is a journey.

That said, Elizabeth Denham, information commissioner at the ICO, clarified there will be no ‘grace’ period – as firms have had two years to prepare.

But she added the ICO prides itself on being a fair and proportionate regulator and this will continue under the GDPR.

At financial services regulatory consultancy Bovill, Umar Mohamad who is a consultant says, with clients he has dealt with a lot of them have struggled with the amount of work that needs to take place to be able to evidence compliance.

This is understandable because when the previous data regulation was written in 1998, the world was a very different place.

There were no smartphones and the amount and volume of personal data being shared was significantly less than today.

Mr Mohamad adds: “The whole problem of balancing a regulatory change project against your business as usual work; it pinches at your resources or you would have to bring in external contractors to help you with the resourcing.

“That’s a lot of the issues I have seen with the clients in financial services. They are not realising the amount of effort they would have to go through to be compliant with GDPR.”

Firms have also been struggling with knowing what information they need to retain on file.

Maurice McDonald, also a consultant at Bovill, says: “[It's] That line between what is required from a regulatory perspective and what information should be retained, how it should be retained and how do you get the required options from all of your clients about what information you are going to be obtaining from them and how it’s going to be used.”

Mr Mohamad notes: “There are some unintended consequences. When they are trying to protect themselves against potential claims in the future to say they may have mis-sold a product, how do they balance that against the GDPR requirement of only holding onto personal data as long as they need?”

GDPR has had a significant effect on the whole financial sector and has especially impacted the advisory sector, many of which are smaller firms with limited technical and compliance resources.

On a more positive note GDPR is actually presenting opportunities for firms to stand out from their rivals.

According to Keith Maner, head of compliance at Thistle Initiatives, GDPR is an opportunity for businesses to “reset” how they use and collate data from their customers.

It will prompt new ways of thinking, and may bring about more trust and transparency.

Mr Maner explains: “There has been some evidence that GDPR is now being thought of as an opportunity for firms to gain some competitive advantage and to bring their data protection up to the standards that will be expected by more demanding data subjects.

“We believe that it could help catalyse a ‘data awakening’, where businesses and customers will begin to take data diligence and security much more seriously. This awakening also has the potential to provide further competitive advantage for firms that can more effectively demonstrate that the privacy by design objective is evident in their products and corporate culture.”

Richard Nuttall, head of compliance policy at Simply Biz, says that GDPR has also raised a general awareness of not only understanding what consumer data advisers have, but also how that data is stored and with whom it is shared.

Mr Nuttall suggests: “Of course, adjusting to new legislation is never easy, but I think advisers are in an advantageous position to many other UK businesses, as the principles of data protection, which are also the core principles of GDPR, are already adhered to within their businesses.  

“It appears that the ICO is being lenient in its approach to enforcement over GDPR regulation so far, provided firms are being proactive in implementing processes to deal with their obligations, but this is likely to change going forward.”

ima.jacksonobot@ft.com