The General Data Protection Regulation (GDPR) is bringing data privacy and security laws in to the modern age, Stephen Hopkins, director of the cyber risk services practice at Deloitte, told the PAM Annual Operations Dinner.
GDPR, which comes in May 2018, is bringing major changes to existing data privacy directives that have been around since the 1990s, Mr Hopkins said. "The world is a different place now, we didn't have Facebook and firms weren't capturing and using as much data as they were before."
According to Mr Hopkins, organisations are taking the time to look at the regulation in particular 30 to 40 articles of "high priority". Mr Hopkins pointed to some key areas where he has seen firms pay the most attention to.
Firstly the sanctions regime which will see fines of four percent of annual return or EUR 20 million, which ever is bigger. According to Mr Hopkins whether or not the regulator would actually levy those types of fines is debatable and firms would have to be in "flagrant breach time and time again" in order to face them. He noted that while GDPR is a European directive, the scope is global meaning that non-EU organisations will need to comply if they are providing services to European data subjects.
The right to be forgotten is another "headline grabbing" area, Mr Hopkins stated, with some being under the impression that firms have to erase all data regarding clients if asked. He emphasised that it is not an "absolute" right and financial organisations have a duty to uphold existing rules and regulations before complying with the GDPR element.
Mr Hopkins also pointed to the requirement to notify the regulator with 72 hours of discovering a data breach as an area of focus with organisations reevaluation whether they have the ability to identify a breach if one occurs. He reminded diners that breaches are not just electronic perpetrated by "hackers and foreign governments" and so organisations also need to identify all possible scenarios where a breach could occur.
He also identified a strong emphasis of "privacy by design" which means that when implementing new systems and processes or making changes to existing ones, there has to be a privacy and threat assessment. Organisations therefore need to look at the potential negative consequences of these systems and processes which could become more prevalent with the introduction of cognitive technologies, Mr Hopkins said.
Other "hot topics" include consent with regards to marketing and the processing of criminal data or information on medical conditions or children.
Before the compliance deadline, Mr Hopkins identified some things to consider. This includes whether an organisation is in a defensible position against high priority articles and whether that position is sustainable.
Firms also need to make sure that they have the capacity to deliver the remediation necessary on their systems and that the right people are in place to give advice.
Mr Hopkins recommended focusing on unstructured data. "Lots of organisations are focusing on big systems, which are important, but it is quite common for business processes to be driven by people sharing things via email and sharing folders. These organisations need to identify where their unstructured data is and whether or not it falls foul of GDPR," he commented.
Finally, Mr Hopkins noted that people are "struggling" with third parties and that it is necessary to look in to privacy requirements built in to contracts.
The PAM Annual Operations Dinner was held at the Goring Hotel on Tuesday 10 October 2017. It was attended by 22 wealth management chief operating officers (or the like), three speakers, and chaired by James Anderson, founder of PAM Insight. The evening was kindly supported by Deloitte, Pulsant and Multrees.