A global survey of investment firms by Cordium and AmberGate has found that over half are set to fail to be ready for the EU’s General Data Protection Regulation, coming into effect on 25 May.
Only 2% of those firms responding to the survey had finished putting GDPR policies and procedures in place. Some 59% said they were unprepared to deal with the 72 hour window to report a personal breach to regulators. And some 64% were unprepared to respond to a data subject rights exercise.
The findings are based on 279 responses sourced in early-mid April. Asset managers made up 38% of respondents, hedge funds 27%, private equity funds 15%. Most, 70%, of respondents were in Europe, with 40% in North America and 10% in Asia.
GDPR extends EU data protection law’s territorial reach, not only applying directly to firms based in the EU but also, for example, to those offering services to or monitoring the data of individuals in the EU, irrespective of where the firm is located.
Michael Corcione, managing director, Cybersecurity and Data Protection Consulting Services at Cordium said: “Companies that have not yet started their GDPR program – or those still at the early stages – expose themselves to significant compliance and reputational risk. Lack of readiness is due to a failure by firms to understand their exposure to the regulation, as well as Mifid II’s earlier deadline, leaving GDPR to fall down the priority list. With just a four-week window firms should be practicing these procedures, not defining them.”
Robert Baugh, founder and CEO, AmberGate, added: “The lack of GDPR preparedness in the industry is concerning, particularly given the risk of regulatory action and the potential impact to a firm’s reputation. Many firms will now need to divert significant resource and time to the project – there is clearly still much to do across most organisations. Firms will face growing pressure from an internal governance perspective, from investors, and from regulators likely to take an increasingly firm stance on the issue.”