The EU’s General Data Protection Regulation came into force two-and-a-half years ago, yet wealth managers’ travails with this incredibly wide-reaching, complex piece of legislation - and those emulating it internationally - are far from over. New research examines what the pressures are and why the industry must handle them.
Regulatory requirements around data protection continue to be a huge headache for businesses, and in particular ones like wealth managers for whom processing personal information is their lifeblood. Here, we delve into this hugely important but generally neglected area of research to paint an up-to-the-minute picture of how firms are coping.
The EU’s General Data Protection Regulation came into force two-and-a-half years ago, yet wealth managers’ travails with this incredibly wide-reaching, complex piece of legislation - and those emulating it internationally - are far from over. In fact, as new research by this publication and regtech firm Apiax shows, reducing the associated costs and operational pain is starting to look very urgent indeed.
Having surveyed and interviewed data protection specialists from a wide range of private banks, wealth managers and Tier 1 banking groups operating in Europe, what first became clear is that firms’ data protection challenges mirror the fulsomeness of the regulations they contend with (EU GDPR alone comprising 99 Articles and 173 interpretive Recitals).
Although 27 per cent reported that their biggest challenges stem from transferring data to other parties and countries, the majority (53 per cent) are still tripping up on issues with day-to-day internal processing. The remaining 20 per cent cited concerns as varied as infrastructure complexity, sheer volume of work, culture and documentation like the Data Protection Impact Assessments that must be carried out for high-risk processing or technology innovations.
Unsurprisingly, given that it touches on so many business areas, data protection specialists are helicoptering to assist a panoply of departments including legal, HR and front-office. However, one stands head and shoulders above the rest in creating most work. As wealth managers further accelerate technology change to deal with the pandemic, a full 50 per cent of respondents report that IT is their department’s biggest client.
As the battle-hardened will know, GDPR also interacts with (and often rubs against) many other laws and regulations. These include rules concerning electronic communications like the EU’s ePrivacy Directive, but also those governing employment, financial record-keeping and the sharp end of governmental imperatives like AML and surveillance. It is little wonder that the data protection laypeople within organisations need significant help with meeting their obligations. As one Data Protection Officer said, “literally everyone is knocking on my door”.
Keeping up to speed
The burden is exacerbated by the fact that data protection teams are often smaller than one might expect, even often at very large firms indeed (of which more later). But what really came through strongly is that informing colleagues is really a downstream issue.
As case law, regulatory guidance and even the interpretation of the rules themselves evolves, it is clear that staying on top of requirements is a massive challenge even for the specialists themselves. For starters, the fact that EU states can exercise a wide range of derogations means this apparently “General” regulation can be very territorially particular indeed in its application.
More challenging still, is the barrage of change even at the level of primary law. The bombshell invalidation of the US Privacy Shield on 16 July was an object lesson in how fast institutions’ carefully -- and expensively -- developed processes can be upended. No grace period was granted the thousands of organisations exporting data to the US under it.