Community
Financial services firms around the world have been working hard to hit today’s compliance deadline for the General Data Protection Regulation (GDPR). For many investment management firms, there was plenty to do ahead of implementation. But there is still work to be done.
The reality is that GDPR is less of a sprint and more of a marathon. Compliance with this regulation is going to be an on-going process that will need to evolve as the firm’s business changes, and as the external threat environment metamorphizes. It’s likely that regulation in this area will not stand still, either. Below are three key steps firms should take as part of their ongoing approach to GDPR compliance:
Specific types of investment firms may find GDPR requires much more of a change to their culture than initially expected. Hedge funds, alternative investment firms, and private equity firms might have had a more casual approach to the use of personal data for decades – mostly because personal and business relationships intertwine quite seamlessly in the normal ebb and flow of activities. Today, with the implementation of GDPR, these kinds of firms need to make a real cultural change to how they manage their data and support that change with the right training.
Other aspects of GDPR compliance need to be industrialized too. For example, if the business has decided that certain activities concerning personal data should not be done, compliance needs to exercise regular control tests to make sure these forbidden activities are not happening. Industrializing this type of activity generally involves using a RegTech solution that helps firms turn policies and procedures into automated alerts based on the individual organization’s compliance timeline. GDPR requires continual validation, to ensure compliance – with such a high bar, it’s important that investment firms make the validation process simple and easy for all the teams involved.
GDPR-related risks can include the obvious ones — the fines of 4% of annual turnover or Euro20 million, whichever is greater — and they will usually grab the board’s attention. However, reputational risks can be just as devastating, and there are case studies of what happens to organizations that mis-handle data privacy. It’s important that each organization look at the specific kinds of risks that it faces in its own business and regulatory environment.
When it comes to providing risk intelligence, pages of data on tech stacks and metrics are not useful for leadership. Instead, the business heads need to be able to understand the regulatory and operational landscape; what the risks are, what peers are doing, and what the regulators are doing. The reporting should also focus on the organization’s “crown jewels” – the most sensitive data, systems, and business processes. And remember, the crown jewels may sit within the organization or with a third party the organization works with. The reporting should answer a range of questions – What are the threats to those aspects, and if they are impacted, what is going to happen? What are the controls that are in place? What is the residual risk?
In summary, GDPR implementation is really just the beginning of a firm’s data privacy journey. For most organizations, there will be much work to continue on with. Compliance pressure will be coming from multiple directions – investors are expected to demand GDPR compliance assurance. And regulatory enforcement will be forceful, with examples being made of a few non-compliant firms. The three key steps above will help improve an investment firms’ data protection security and resiliency in the face of this ever-evolving environment.
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.
Galong Yao CGO at Bamboodt
08 July
Alex Kreger Founder and CEO at UXDA Financial UX Design
07 July
Anjna McGettrick Global Head of Strategy Implementations at Onnec
Nkahiseng Ralepeli VP of Product: Digital Assets at Absa Bank, CIB.
Welcome to Finextra. We use cookies to help us to deliver our services. You may change your preferences at our Cookie Centre.
Please read our Privacy Policy.