Wealth managers should not delay in overhauling systems in preparation for a sweeping new data protection regime in Europe. And if they take a serious approach, it could be a competitive benefit, a technology company says.

As wealth managers embark on a “dash to digital”, a major challenge looming over the horizon is how firms prepare as they must for sweeping European data protection legislation that kicks in from May 2018, California-headquartered tech firm Delphix says.

The General Data Protection Regulation rules, agreed last year and which are designed to replace previous regulations, apply to a range of businesses and organisations, most definitely including wealth management firms. The punishments lawmakers can mete out for offenders will be harsh. For example, under GDPR, fines of up to 4 per cent of annual worldwide turnover can be imposed in the event of a breach – enough to send some players out of business. (See this article here for a guide of some of the main elements of GDPR.)

While it is likely that the most high-profile lapses will draw early punishments, it cannot be assumed that any organisation can afford to be complacent, Jes Breslaw, head of strategy for Europe, Middle East and Africa at Delphix, told this publication recently. 

His firm is keen to ram home the message that there remains widespread confusion about what the data protection legislation will mean and what firms must do to get their house in order. And while 2018 might seem a way off, the time to prepare is now. For those firms that take a thorough approach, adapting to such regulation could also be a competitive advantage.

Perhaps with so much regulatory activity coming out of Brussels, Washington, London and other centres in recent years, business executives are almost numbed to the scale of their compliance requirements. Is it realistic for them to embrace a whole new swathe of rules with alacrity? Breslaw demurs. “Banks and wealth managers are going to have to get their houses in order but those that do realise they will see significant business benefits,” Breslaw said. Strong data protection systems will give businesses an opportunity to get to the route of any data vulnerabilities “once and for all”.

A strategic approach is far preferable to an “ad hoc” one that could be more dangerous, he added. “Data protection must be embedded into your entire processes,” he said. 

Delphix recently produced a report, entitled GDPR Requirements for Data Masking, which explains what firms must do to take appropriate care in handling personal data. In a survey of 300 executives from the UK, France and Germany, Delphix said 21 per cent of UK businesses have no understanding of the GDPR and 42 per cent in the UK have looked into some aspects of the GDPR but not into the pseudonymisation tools that the legislation recommends. (This relates to how identities of persons whose information is handled can be kept private.) About one in five of those that have studied the pseudonymisation requirements in the GDPR admit that they are having trouble understanding them, the report continued. 

Data protection as a task rests solidly with C-level executives, but so far, not enough organisations have appointed a chief data officer or a chief privacy officer to tackle the issue, Delphix’s report found. In the UK, 52 per cent listed the chief information security officer or head of IT security as responsible. A further 18 per cent cited the chief data officer or data protection officer followed by the chief executive or chief information officer (17 per cent). Over a third (35 per cent) of French respondents said that responsibility for data protection primarily sits with a chief data protection officer, 25 per cent named the CISO and head of IT security, and 23 per cent named the CEO or CIO. In Germany, nearly half (44 per cent) said that the CISO or head of IT security was responsible for data protection, followed by the CEO or CIO (30 per cent), and the chief data officer or data protection officer (18 per cent).

France fares best in this regard: the country has the best understanding of pseudonymisation in the GDPR, with 38 per cent of respondents claiming they fully understand pseudonymisation requirements. This compares to 21 per cent in Germany. Confusion still reigns in Germany, with 40 per cent revealing they have studied pseudonymisation requirements in the GDPR but are having trouble understanding them, the report said.

There are already CEOs saying they need to be compliant with this legislation, Breslaw said. He predicts that more money is likely to be spent on compliance with GDPR than on the so-called millennium bug computer issue just before the turn of the century. According to some estimates, the total for the Y2K issue was in the region of $300 billion, more than $400 billion in today’s money.

But while the prospect of yet more regulatory spending, and the existence of another acronym to contend with, may sap the spirits, Breslaw argues that a rigorous approach to handling data should be a competitive differentiator for firms. For wealth management, where there have been far too many cases of data loss, not to mention “leaks”, in recent years, the stakes are high.

(Editorial comment: It is perhaps understandable that compliance professionals and IT firms will say that spending resources on compliance and IT relating to areas such as data protection is necessary and may even be a competitive differentiator. There is merit to such arguments but, as always, this raises the issue of how boards choose to divide technology spending between that which they have to undertake and that which they wish to perform so as to expand and develop their businesses.)