The lead up to this shift in regulatory focus was long and, for many firms, arduous in terms of the complexities involved in switching systems and the sheer weight of cataloguing and potentially remediating how, where and why data was being processed and utilised.
There is even a train of thought that SMEs could be the community which is left most exposed as technology now allows smaller companies to process millions of records, a capability previously out of reach of most budgets.
However, this size of company often isn’t large enough to deploy the legal and compliance infrastructure to control this data in an appropriate manner and herein lies the problem.
So, one year on what impact have we seen?
According to the European Data Protection Board, 206,326 cases were reported by supervisory authorities in the first nine months of the GDPR’s application.
Of these cases, 94,622 were related to complaints and 64,684 were related to data breach notifications by data controllers.
In the same period, supervisory authorities in 11 European Economic Area (EEA) countries issued administrative fines totalling €55,955,871. The vast majority of that total is the €50m fine France issued to Google in January 2019.
On a more confident note, there are strong suggestions that GDPR has increased awareness around the importance of personal information and customers are becoming increasingly confident in regard to their data rights.
All of which are development areas for businesses who can match this with a positive and secure approach to handling their personal data.
But what about the impact on financial advice and intermediary firms?
Data from Intelliflo suggested the introduction of GDPR impacted the daily business of nine out of 10 advice firms.
In all, 70 per cent of firms surveyed said GDPR had some impact on their business and a further 20 per cent said it had a “major impact”.
Just eight per cent said it had no impact and the remaining two per cent could not say either way.
When asked about the number of breaches firms had reported to clients, prospects or the regulator, the survey found 13 per cent had reported between one and five breaches.
Discussing how regularly employees receive formal training on data protection and/or the GDPR, 73 per cent said they receive it once a year and 17 per cent said they had training just once, when GDPR first came into force.
The data suggested that eight per cent receive it every six months and two per cent have never received it in a formal capacity.
However, breaches are only part of the GDPR impact and as the regulation settles in, an increased focus will be placed on the actual processing of data and ensuring that the legal basis and fundamental procedures are compliant.
Where do we go from here?
There are a number of steps some firms still need to take, but here are some of the simplest:
- Learn from the mistakes that have already been made by yourself and others. GDPR is a new regulation and the regulator is taking time to process breaches and complaints – similarly, guidance from the regulator is still being issued to help business understand their obligations. We can learn from a variety of firms operating within the financial services sector and beyond who have successfully embraced GDPR.
- Technology is important, but it should not be seen as the sole solution to GDPR compliance. Businesses need to become much more data aware, understanding how and why data is being processed, and then develop a culture that supports activities where privacy is part of the design. The question intermediary firms need to continue asking themselves is – am I working with the right type of systems and solutions which protect and benefit my business – and if not, why not?
- Be as transparent as possible in how you are dealing with data. A simple privacy notice written in plain English can help build additional trust and confidence in your business operations.
- Don’t overcomplicate things, stick to the basics. Be aware of how your data is gathered, collated, stored, shared and used. Undertake data audits or data mapping exercises on a regular basis and ensure everyone in the business, including your third parties, is fully up to speed on all procedures around data processing.
GDPR will always be with us – it is a long-term requirement and the need to maintain compliance will require the development of long-standing privacy cultures and privacy-centric business processes.
GDPR will also be joined by further legislation in other countries making the jigsaw of compliance all the more complex.
This may involve additional time, administrative and cost burdens, but as with all compliance led initiatives, it has the potential to be a powerful tool to demonstrate how you value the trust your customers give you in sharing their personal data. And a compliant approach can clearly differentiate your firm from those that do not have such measures in place.