Within the financial services sector, already fatigued by a constant rhythm of regulatory changes, there might be the temptation to sit back when it comes to GDPR,
Mark Dryden is business development director at 360Dotnet
In May 2018, the way we collect, interact and store data will fundamentally change with repercussions that will significantly affect all businesses. Within the financial services sector, already fatigued by a constant rhythm of regulatory changes, there might be the temptation to sit back and see how things play out.
While this can be an astute tactic as FCA and PRA regulation is consulted upon and often incorporates valid feedback, the up and coming General Data Protection Regulation (GDPR) has been set by our friends in the EU, is already law and is definitely not affected by Brexit.
Every organisation that collects personal data is affected by the change regardless of size, sector or purpose. The regulation, that replaces the current Data Protection Act, attempts to address the new technical reality of how our personal data is used, processed and passed to third parties.
For us as individuals and consumers, this is a fantastic development as this removes the ambiguity and confusion of how our data is used, placing us in control and informed. Put another way, post-May 2018, if someone uses our data in a manner that feels wrong or creepy without our consent, then GDPR comes to save the day.
For those who have yet to make a PPI claim or about to have a minor car accident in the next three years, you will need to get those claims in quick people! Joking aside, the repercussions to business will be significant with Information Commissioner Officer (ICO) capable of dealing out fines up to €20m or up to 4% of annual turnover for serious breaches of the GDPR, whichever is the highest amount.
It is worth making the distinction that “personal data” is not referring “data” is a technical sense, it is referring to data in general regardless of how the data is collected and stored.
The GDPR applies to a paper based system just as much as an intermediary’s front and back office solutions. Failure to understand these challenges, failure to modify internal procedures and failure to capture the essential data post-May 2018 will significantly hamper businesses ability to function and expose them to unnecessary risk.
Financial penalties will capture many headlines, but intermediaries need to understand the challenges laid out by the GDPR and begin to make appropriate plans.
Front and back office software solutions provide the opportunity to mitigate the risks exposed by the GDPR as well as making compliance more efficient and seamless, but this doesn’t absolve intermediaries from responsibility. Each and every intermediary is responsible for its data, along with the processes that revolve around the collection, storage and processing of personal data.
I highly recommend reviewing the ICO’s 12 Steps document that provides an overview of GDPR regulation that will start you on the journey of understanding how we, as individuals, have more rights and powers over how our data is processed and how businesses need to increase the transparency and accountability of the data they hold and process.