Financial services firms around the world have been working hard to hit today’s compliance deadline for the General Data Protection Regulation (GDPR). For many investment management firms, there was plenty to do ahead of implementation. But there is still work to be done.
The reality is that GDPR is less of a sprint and more of a marathon. Compliance with this regulation is going to be an on-going process that will need to evolve as the firm’s business changes, and as the external threat environment metamorphizes. It’s likely that regulation in this area will not stand still, either. Below are three key steps firms should take as part of their ongoing approach to GDPR compliance:
1. Create a data protection culture – Certainly, investment management firms need to abide by the rules when it comes to GDPR. It’s important that everyone in the organization is clear about what the regulatory requirements are, and how the requirements impact the responsibilities within their own role. Many firms have conducted GDPR training in the run up to the implementation to “tick the box”. However, fire drill compliance training isn’t an effective way to keep an organization maintain compliance beyond the very short term. Organizations need to put three types of GDPR training programs in place:
- All employee training – outlines the regulation to all employees. It explores the big themes, such as what is the definition of personal data and what are data subject rights. It talks about the company’s policies around personal data use, explains the ethical standards that are expected, and gives guidelines for employee questions about potential misuse. While it is usual for firms to provide this kind of training on an annual basis, it might be more effective to provide ongoing micro-training for employees for a complex and wide ranging regulation like GDPR. Micro-training keeps concepts fresh in employees’ minds and enhances the compliance culture.
- Role-based training – more specialized training for employees in roles that deal with personal data. For example, in investment firms, human resources teams will handle significant amounts of personal data, which the regulation requires to be handled in specific ways. The company is responsible for making sure training takes place so that activities taking place in every department comply with data policies. Other teams who may handle personal data include IT and operations. Those who work with customers every day should have specific coaching on how to communicate with data subjects.
- Senior management and board training – for those who are at the top levels of an investment management firm. They need to understand how the regulation impacts their business, potential risks that it creates, and what questions they need to be asking of all three lines of defence as part of their governance role.
Specific types of investment firms may find GDPR requires much more of a change to their culture than initially expected. Hedge funds, alternative investment firms, and private equity firms might have had a more casual approach to the use of personal data for decades – mostly because personal and business relationships intertwine quite seamlessly in the normal ebb and flow of activities. Today, with the implementation of GDPR, these kinds of firms need to make a real cultural change to how they manage their data and support that change with the right training.
2. Industrialize GDPR compliance – Getting past the May 25th deadline is just the beginning of the firm’s GDPR compliance journey. Compliance teams need to make sure the business is sticking to the rules – policies and procedures need to be checked regularly. Some of this can be automated – for example, email reviews could be set up to check for inappropriate use, such as sharing of personal data.
Other aspects of GDPR compliance need to be industrialized too. For example, if the business has decided that certain activities concerning personal data should not be done, compliance needs to exercise regular control tests to make sure these forbidden activities are not happening. Industrializing this type of activity generally involves using a RegTech solution that helps firms turn policies and procedures into automated alerts based on the individual organization’s compliance timeline. GDPR requires continual validation, to ensure compliance – with such a high bar, it’s important that investment firms make the validation process simple and easy for all the teams involved.
3. Have a leadership conversation about GDPR risk – When it comes to GDPR, it’s easy for leadership to get caught up in some of the on-trend terms that are being bandied about, or in the hunt for a “GDPR solution.” The reality is that leadership needs to stay focused on the risks that non-compliance could pose to the organization – and this focus requires good reporting. Such reporting needs to talk about specific risks and how the treatment of those risks relates to the organization’s overall risk appetite and business goals.
GDPR-related risks can include the obvious ones — the fines of 4% of annual turnover or Euro20 million, whichever is greater — and they will usually grab the board’s attention. However, reputational risks can be just as devastating, and there are case studies of what happens to organizations that mis-handle data privacy. It’s important that each organization look at the specific kinds of risks that it faces in its own business and regulatory environment.
When it comes to providing risk intelligence, pages of data on tech stacks and metrics are not useful for leadership. Instead, the business heads need to be able to understand the regulatory and operational landscape; what the risks are, what peers are doing, and what the regulators are doing. The reporting should also focus on the organization’s “crown jewels” – the most sensitive data, systems, and business processes. And remember, the crown jewels may sit within the organization or with a third party the organization works with. The reporting should answer a range of questions – What are the threats to those aspects, and if they are impacted, what is going to happen? What are the controls that are in place? What is the residual risk?
In summary, GDPR implementation is really just the beginning of a firm’s data privacy journey. For most organizations, there will be much work to continue on with. Compliance pressure will be coming from multiple directions – investors are expected to demand GDPR compliance assurance. And regulatory enforcement will be forceful, with examples being made of a few non-compliant firms. The three key steps above will help improve an investment firms’ data protection security and resiliency in the face of this ever-evolving environment.
Michael Corcione is managing director, Cybersecurity and Data Protection Consulting at Cordium