12 month countdown to GDPR

With just 12 months left before the European Union’s (EU’s) General Data Protection Regulation (GDPR) becomes law, preparations are top of mind for marketing, compliance and governance teams in the financial and professional services sector.
The regulation, which covers data protection, as well as eye-watering penalties for non-compliance, means making sure your organisation is compliant.  How far is the financial services sector ready for GDPR and what are some of the difficulties that lay ahead?

• In terms of data protection and data security measures, Financial Services organisations are mainly GDPR-ready as the industry has already had to go far beyond the regulatory standards that are currently in place. And it’s much the same story for banks too, with most organisations having data security to the ninth degree
• A key difference between how the industry currently operates and how it will have to comply with GDPR is the way you gain consent from customers – which is more a legality issue than about protection.   For example, theneed for opt-ins, rather than opt-outs means that everyone being sent information (although maybe a much reduced number) will be interested in your content – a real positive for all concerned
• One of the main difficulties with GDPR is a customer’s ‘right to be forgotten’, which is slightly complex and contentious. There must be a way of removing customer data from systems wholly and completely, when asked, which is difficult as applications have not been built with this in mind, as it was never a requirement before.  However, conflicting obligations makes this process difficult, with the directive saying customers have a ‘right to be forgotten’, but as a business you need to keep records for seven years, for audit purposes.  It will be interesting to see which one wins out
• Liability is an important consideration, and depends who you’re actually storing data for (consumers or businesses) and where those businesses are based, i.e. UK or elsewhere in Europe
• And what about post-Brexit?  Financial services firms in the UK will need to compete with the rest of Europe.  So, the UK Government must confirm that it will continue to use GDPR as standard and that its own laws are as stringent, or more so, than those laid down in GDPR

Although some of the GDPR requirements may seem onerous, there are many positives that should result from these regulatory changes, with new requirements forming a structured and comprehensive basis for best practice data management:  There will be far less ‘wastage’ in marketing as a result of the need to ‘opt-in’ rather than ‘opt-out’; and firms that produce engaging content and relevant material will steal a march on less disciplined competitors.

Putting individual responsibility at the heart of firms’ conduct
Last month, the FCA released its business plan for 2017/2018, with accountability and governance in the financial services sector being a key priority – putting individual responsibility at the heart of firms’ conduct, making managers and senior staff more accountable for the ethical stance & governance of their firm 

The key aims of the Senior Managers & Certification Regime (SM&CR) are to strengthen individual accountability at the most senior levels of relevant firms and improve their standards of conduct at all levels.  We expect firms and their senior managers to apply the spirit, as well as the letter of the regime…The SM&CR provides clarity for both firms and regulators about each senior manager’s responsibilities.  We will continue to use firms’ responsibilities maps and individual senior managers’ statements of responsibilities throughout the regulatory lifecycle…These tools will further help us to identify and assess key senior individuals’ management and governance arrangements…We will consult on the accountability regime for all FSMA firms in 2017, and complete our preparation to implement the regime from 2018…(Source: FCA Business Plan 2017/2018) 

“FCA research, since the regime’s introduction has shown that although there’s been strong progress in terms of firms adopting a culture of individual accountability there’s still evidence of overlapping or unclear allocation of responsibilities. At some firms, responsibility is shared among staff at different levels of management, obscuring who is genuinely responsible. Firms are on the right track but it’s an ongoing journey.  The shift in the regulator’s approach from prescribed rules to an expectation of good governance is fundamental, together with the need for cultural compliance and a strong emphasis on in-built ethics, rather than draconian oversight and penalties.  Evidence shows that companies viewing regulatory compliance as a tick box exercise are most at risk of falling foul of the FCA requirements.   Building-in a culture of compliance, where managers take responsibility and where ‘doing the right thing is the default’, will stand companies in good stead.”