Practice Strategies
Wealth Industry Takes Deep Dive Into GDPR Impact
A recent conference held by this news service drew practitioners from the UK and European wealth industries to discuss the effects of major data protection rules due to take effect in May.
Preparing for the forthcoming European Union rules on data protection and making sure businesses comply effectively must be embedded in the culture of organizations and not simply treated as technology issues, a recent conference in London heard.
“Where we set up our programme [about GDPR] this is about change management, about business transformation,” Ben Revill, business manager of Xpedition, formerly known as Touchstone CRM, told the WealthBriefing event. The conference was held at the held at the offices of EY at 1 More London Riverside, London.
Revill, speaking on the first of two panels at the event, talked to his co-panelists and delegates after the general issues around GDPR were set out by Anthony Kirby, associate partner at EY.
The weeks leading up to the start of GDPR on 25 March requires firms to ensure people consent to the information that needs to be held about them; to document what information an organisation holds; review privacy nights; nominate data protection officers, and ensure protection of specific rights. Firms such as private banks and wealth managers are in a race against the clock to ensure that they are compliant ahead of the May deadline or risk facing fines, including up to 4 per cent of their annual global turnover or €20 million ($23.5 million), whichever is higher. Official bodies such as the Information Commissioner’s Office have issued guidance about what people should do.
The regulations come into force less than five months after the financial market sector has had to wrestle with another major set of EU rules: the Markets in Financial Instruments Directive, second iteration, aka MiFID II. The ability by wealth managers to get ready for GDPR, having just coped with the MiFID II regime, was a discussion point at the WealthBriefing conference.
Speakers on the first panel were Kayleigh Lewis, chief engagement consultant, Xpedition; Xpedition’s Revill; James Rounds, associated partner, EY; Monica Sasso, director, wealth management regulatory change, Deutsche Bank and Irwin Spilka, group and UK data protection officer, Stonehage Fleming.
The second panel featured Chris Hamblin, editor of Compliance Matters; Shaun Hurst, subject matter expert at Actiance; Jeremy Kajendran, senior manager at EY; Robin Smith, senior director at Actiance, and Richard Syers, technical director, Actiance. Sponsors for the conference were Actiance, EY and Xpedition. Supporting organisations were ProFundCom, smartKYC and CPE.
First panel
Panelists dealt with issues such as how firms should ensure the
whole organisation puts GDPR into action, monitor what GDPR
demands and deal with issues such as switching data from paper to
digital platforms.
A key term to grasp is “transparency”, Spilka said: “People need to know how individuals use, share, collect and store their information.” Deutsche’s Sasso, talking about the “consent” issue, said that in a business such as her own, there were not a wide range of areas requiring consent from clients, but the old approach of “negative consent” (a client opting out of some form of process) was over. Going forward, consent has to be “purposeful” Sasso said. She argued that it was harder for relatively small organisations to successfully implement GDPR than larger ones because of the gap in resources available.
Revill argued that GDPR should be treated as a chance for firms to sort out their data/information systems, rather than simply treat it as a compliance issue. “Firms are seeing this as an opportunity to change the way they work,” he said. How prepared firms are for GDPR will be guided by their business model…..some clients think it is quite cool that banks are picking up on data and using it,” he said. For some firms, such as those operating a franchise model or outsourcing a considerable amount of work, the GDPR challenges can be more complex. EY’s James Rounds, asked about whether clients will want to receive personalised data from organisations, said that some clients will want such services.
Communication and compliance issues of GDPR
In the second panel, the question was put to ICO’s Syers about
whether people and organisations have sufficient awareness of
what the new data protection rules require. He said GDPR is about
shifting the balance of power to the end-user. “There are quite a
few myths and misunderstandings bout how it is going to apply in
practice. It is not a completely new regime,” Syers said.
EY’s Kajendran said much of the difference between how market participants communicate the GDPR message depends on whether they are individuals or institutions; to some extent, “institutions are already knocking on your door,” he said. With the new rights under GDPR, there is a need for a lot of information on what these rights are, he said.
“You can use GDPR as a commercial advantage in terms of how you communicate with clients….you can show you are taking their privacy seriously,” he continued.
Asked what was being done to raise public awareness, Syers responded: “My team is working with business, trade associations and with events like this….our focus in the policy team is getting guidance ready,” he said. There will be more press, television and other media drives to spread the message about rights and responsibilities coming with GDPR, he said. One difficult area, he said, were small- and medium-sized companies. Already, he said, the GDPR topic is one of the most-read pages on the ICO’s website.
Asked if the ICO expected further tweaks to the GDPR directive before it becomes law, Syers said there are possible changes but he did not see major ones taking place.
The “right to be forgotten” [the idea of removing unnecessary or irrelevant data on a person from files] is an area which needs more clarity, Actiance Hurst’s said. “There are a lot of dubious people going out trying to scare the heck out of people about what [data] needs to be deleted and what doesn’t,” Hurst continued.
Syers said that if organisations need to keep information then, in most cases, they will be able to do so. “Generally, the older data is, the less useful it is going to be,” he was asked.
The point was made from the audience that in the case, say, of some trusts, the data involved in a trust’s creation might go back decades, and have to be stored somewhere, so a crude cut-off point for keeping data would not make sense.
The audience was also reminded by panellists that, regardless of the UK’s referendum vote in June 2016 to leave the EU, the data protection rules will affect the UK, and that any organisation outside the bloc dealing with it, such as American or Asian firms doing business in Europe, had to be mindful of its provisions.
Hamblin discussed some of the issues around whether, or how, GDPR might cause cross-border issues with jurisdictions such as the US. Another clash, potentially, is whether GDPR might clash with MiFID II or other pieces of EU law
Hamblin remarked that one point to ponder about Brexit was that common law worked differently from EU law in that it gave a recently passed Act precedence over a previous Act, settling any clash between them purely with timing. He did not, however, know whether the Great Repeal Bill (the law by which the UK will incorporate existing EU law into its own statutory law as it leaves the EU) would treat these pieces of legislation as earlier or later than one another, thereby resolving clashes in that way. He suspected that it would not, and would instead treat them all as part of the same huge omnibus Act, dating from the same day.
Other panellists noted, for example, that the US did not have an exact copy of GDPR in the works; in fact, the US Patriot Act and its powers to obtain information contain fewer safeguards for individuals than was the case with the EU legislation.