Expert: Ian de Freitas, Farrer & Co.
Facilitator: Alex Johnson
Wealth managers need to prepare for privacy challenges under GDPR and be fully compliant ahead of its implementation on 25 May 2018. Firms now must move away from asking consent from clients and examine their processes to ensure privacy has been considered across all of their products.
- Tighter consent laws mean businesses should seek to re-permission data and move away from asking consent from clients.
- Ongoing system changes must give wealth managers the ability to track client data down to exact locations and firms should know exactly who is processing this data.
- Growing numbers of data access requests are expected from individuals who are set to be empowered by new privacy rights under GDPR.
- Relationship managers present a considerable risk for wealth managers in respect to complying with GDPR’s new privacy measures.
- Companies should be looking to revise and re-issue privacy notices in light of updated data retention policies.
Initial discussion centred on the background of GDPR (General Data Protection Regulation) and where the industry finds itself six months away from its implementation.
After almost four years of debate, the European Commission, Parliament and Council finally reached a consensus on GDPR in December 2015. As a consequence of the political compromise, not all the directive is consistent and there continues to be many issues as to how wealth managers can comply with parts of the regulation. Furthermore, it was noted that the Edward Snowden story which broke halfway through the bill’s draft process had added ‘bells and whistles’ to GDPR.
Enforcements and sanctions for non-compliance under GDPR have increased significantly. Currently sanctions for data protection breaches typically carry a maximum penalty of £500,000, however, under GDPR, monetary penalties are set to increase to up to 4% of annual global turnover. UK businesses have to ensure they are fully compliant with GDPR before it comes into effect on ‘Zero Day’ – 25 May 2018. It is also apparent that Brexit will not stop the regulation coming into effect in the UK with the current Data Protection Bill set to enshrine GDPR into UK law.
According to a recent industry survey, the biggest area of concern relating to GDPR was found to be the ‘right to be forgotten’. Several delegates highlighted the potential impact of complying with increased levels of D-SARs (Data-Subject Access Requests) would have on their businesses. Many GDPR observers expect growing numbers of D-SARs from individuals seeking to ascertain what personal data is being held about them. In fact, two delegates had heard rumours that the UK Information Commissioner’s Office (ICO) is to launch an advertising campaign to educate consumers on their enhanced data protection rights under GDPR. One participant posed the question: “Will this be the new PPI?”. Firms can no longer charge £10 for individuals to submit a D-SAR and companies must respond to these requests within a shortened timeframe of 30 days.
A couple of exceptions to disclosing certain information were highlighted during the roundtable. Conversations with lawyers cannot be disclosed while there is a need to balance employee rights against what can be disclosed on a personal level to clients. Tighter consent regulation also means that firms can no longer rely on employees consenting to having their personal data processed.
Data retention policies must be overhauled for GDPR in order to be short and more prescriptive for consumers. Discussion turned to common fears around re-permissioning existing client data with one delegate reporting an 8% hit-rate from clients when asking them for new permissions. Clients now have to opt-in to data retention policies rather than the current opt-out framework.
Businesses are also required to know exactly where client data is held and who is processing this data. One instance was raised of a company using thousands of data servers across different locations which rendered it almost impossible to track where data is held. Cloud providers were seen as an effective solution to this problem although prices for these services are set to rise next year. It was observed that GDPR now regulates both data controllers and data processors in respect to data security therefore data processors will expect to be compensated for any additional risk.
In terms of marketing, GDPR is not the only regulation coming into force. The latest set of Privacy and Electronic Communications Regulations (PECR) covering email and SMS marketing is expected to come into force next year although the text is currently being revised. One participant warned that businesses should also pay heed to their cookie policies to make sure they no longer record individual mobile and laptop IDs.
Privacy by design is another topic of particular relevance to wealth managers under GDPR with far-reaching implications. The concept of privacy is now required to be built into new products and services from the very outset. It is also mandatory for wealth managers to re-evaluate their existing products with privacy in mind. Moreover, firms will need to keep paperwork to demonstrate they have built privacy into their processes through these actions.
All participants agreed that staff on the ground were a considerable risk for wealth managers in respect to complying with privacy policies. Relationship managers commonly keep their own repositions of contracts and typically push back on any efforts to centralise these although this will soon be the case under GDPR. A culture change will need to happen in order for relationship managers to relinquish their own individual books of contacts and staff may need to be trained to reflect this.
The roundtable concluded with discussion on the wider impact of GDPR across the industry and the immediate challenges that firms are facing. GDPR is not just an EU issue but a global problem as US firms will have to comply with the directive when it comes to their EU clients. Firms should already be re-negotiating existing contracts with data processors and identifying where all their client data is currently kept. Participants were also advised to revise and re-issue privacy notices along with making preparations to deal with increased data requests from clients.
- Contracts with data processors should be re-negotiated and systems updated to ensure firms have a clear line of sight into where data is stored.
- Staff may need to be trained as part of a culture change to ensure privacy is built into every product and service from the outset.
- Re-permissioning data to move away from consent will still allow firms to control aspects of client data under legitimate business interests.