A recent conference held by this news service drew practitioners from the UK and European wealth industries to discuss the effects of major data protection rules due to take effect in May.
Preparing for the forthcoming European Union rules on data protection and making sure businesses comply effectively must be embedded in the culture of organizations and not simply treated as technology issues, a recent conference in London heard.
“Where we set up our programme [about GDPR] this is about change management, about business transformation,” Ben Revill, business manager of Xpedition, formerly known as Touchstone CRM, told the WealthBriefing event. The conference was held at the held at the offices of EY at 1 More London Riverside, London.
Revill, speaking on the first of two panels at the event, talked to his co-panelists and delegates after the general issues around GDPR were set out by Anthony Kirby, associate partner at EY.
The weeks leading up to the start of GDPR on 25 March requires firms to ensure people consent to the information that needs to be held about them; to document what information an organisation holds; review privacy nights; nominate data protection officers, and ensure protection of specific rights. Firms such as private banks and wealth managers are in a race against the clock to ensure that they are compliant ahead of the May deadline or risk facing fines, including up to 4 per cent of their annual global turnover or €20 million ($23.5 million), whichever is higher. Official bodies such as the Information Commissioner’s Office have issued guidance about what people should do.
The regulations come into force less than five months after the financial market sector has had to wrestle with another major set of EU rules: the Markets in Financial Instruments Directive, second iteration, aka MiFID II. The ability by wealth managers to get ready for GDPR, having just coped with the MiFID II regime, was a discussion point at the WealthBriefing conference.
Speakers on the first panel were Kayleigh Lewis, chief engagement consultant, Xpedition; Xpedition’s Revill; James Rounds, associated partner, EY; Monica Sasso, director, wealth management regulatory change, Deutsche Bank and Irwin Spilka, group and UK data protection officer, Stonehage Fleming.
The second panel featured Chris Hamblin, editor of Compliance Matters; Shaun Hurst, subject matter expert at Actiance; Jeremy Kajendran, senior manager at EY; Robin Smith, senior director at Actiance, and Richard Syers, technical director, Actiance. Sponsors for the conference were Actiance, EY and Xpedition. Supporting organisations were ProFundCom, smartKYC and CPE.
Panelists dealt with issues such as how firms should ensure the whole organisation puts GDPR into action, monitor what GDPR demands and deal with issues such as switching data from paper to digital platforms.
A key term to grasp is “transparency”, Spilka said: “People need to know how individuals use, share, collect and store their information.” Deutsche’s Sasso, talking about the “consent” issue, said that in a business such as her own, there were not a wide range of areas requiring consent from clients, but the old approach of “negative consent” (a client opting out of some form of process) was over. Going forward, consent has to be “purposeful” Sasso said. She argued that it was harder for relatively small organisations to successfully implement GDPR than larger ones because of the gap in resources available.
Revill argued that GDPR should be treated as a chance for firms to sort out their data/information systems, rather than simply treat it as a compliance issue. “Firms are seeing this as an opportunity to change the way they work,” he said. How prepared firms are for GDPR will be guided by their business model…..some clients think it is quite cool that banks are picking up on data and using it,” he said. For some firms, such as those operating a franchise model or outsourcing a considerable amount of work, the GDPR challenges can be more complex. EY’s James Rounds, asked about whether clients will want to receive personalised data from organisations, said that some clients will want such services.