Getting ready for GDPR

New data regulation due to come into force in just over a year’s time will bring challenges, but also opportunities.
Thirteen months and counting. In May 2018, new laws on data protection and privacy come into force, but the Information Commissioner’s Office warns the general data protection regulation (GDPR) still isn’t on the agendas of senior management at many organisations. For asset managers, struggling to protect their brand and preserve their bottom line in an industry where reputational damage and regulatory fines have been a consistent theme, that’s a potential disaster.
The window of opportunity for compliance with the GDPR is closing rapidly and the regulation is wide-ranging. It introduces new deadlines for reporting data breaches, tougher rules on customer consents, a new right for customers to be forgotten, responsibilities for ensuring data portability and a requirement for the appointment of a designated data protection officer. For asset managers that fall foul of the rules, regulators will have the power to issue fines of up to €20m or 4% of worldwide annual turnover (whichever is higher) for the most serious breaches.
The big problem for many asset managers is they do not currently have good oversight of the data coming into their organisations or even of what data they already hold – a single customer may generate multiple data entries across multiple systems. Struggling with ageing technologies and legacy systems, few asset managers have been able to introduce holistic data governance policies. As a result, while they are keen to unlock the value of their data, they do not currently know where their most valuable information is stored – let alone have the visibility they will need in order to comply with the GDPR.
The regulatory imperative of GDPR creates some very specific issues for asset managers and the cost of non-compliance will be very high, both in terms of the fines and penalties potentially due and the broader reputational damage.
For example, meeting a 72-hour deadline for full disclosure of a data breach will be impossible for companies that do not know where all their data is held – how will they know exactly what has been breached? – or have a pre-planned response system in place. Nor will asset managers be ready to transfer a customer’s data to a rival provide, or to delete it if requested, unless they know where to find it.
Similarly, the requirement to obtain new and more explicit consents even from existing customers for data processing represent a major headache. Introducing concepts such as privacy by design and the right to be forgotten as new products and services are developed and new customers targeted will require a major cultural shift.
The broader concern is that the GDPR threatens asset managers’ innovation pipeline, and even their ability to compete. As teams employed on exciting data and analytics initiatives are distracted by the need to deliver regulatory compliance, they must ensure their work does not grind to a halt. All the more so given the disruptive threat posed by greenfield entrants to the asset manager sector which are not constrained by legacy burdens and can build their systems from scratch in order to be GDPR compliant from day one.
Still, the challenge is to see the GDPR as an opportunity to be embraced as well as a difficulty to be overcome. The system and process renewal necessitated by the new regulation may prove to be a positive as asset managers seek to innovate at speed. Combining the compliance effort with the drive to obtain competitive edge from data and analytics will leave chief data officers and their teams with no choice but to embrace customer-centricity. Those asset managers able to secure data advantage may come to regard the effects of the GDPR as benign – or even as positive.
The imperative is to move swiftly to solve the problems that lie ahead. Consider the following action points:

  • Find out what data is held, where it is and who has access to it;
  • Have a clear view of any additional risks posed by third-party access to data;
  • Check to see that data is being used only in ways that customers have consented to;
  • Audit the extent to which customer data is well protected.
  • Consider how you use data across your business – and how you would like to;
  • Build an organisational view of what data privacy means to the whole business;
  • Embed data protection and privacy issues into overall business strategy;
  • Evaluate systems and processes on whether they are agile enough to facilitate innovation;
  • Be ready for further change as the regulatory environment evolves.