[ N E W S R E V I E W ]
Asset managers reporting mixed readiness for GDPR
Asset managers who are only just figuring out MiFID II appear to be particularly behind the curve with GDPR preparedness .
A
few years back , a livid father from Minneapolis stormed into his local Target and berated the manager for sending his teenage daughter coupons for their pregnancy stock . The daughter – who was expectant but had not yet told her family – had been browsing Target ’ s pregnancy selection , which was flagged by the company ’ s customer tracking system leading to the coupons being dispatched in the post to her house and unsuspecting father .
Unfortunate stories like this have convinced regulators that the license which companies have to use customer data for commercial purposes needs to be more tightly controlled and is the basis behind the European Union ’ s ( EU ) General Data Protection Regulation ( GDPR ). GDPR is not a piece of financial services regulation , but it will bring about some significant changes in the industry from 25 May 2018 .
GDPR compliance progress is seemingly quite mixed across financial services , according to industry experts . “ Some firms are better prepared and have been working for longer on their GDPR compliance . We are generally seeing a different range of preparedness across different sizes of clients ,” said Wendy Phillis , head of governance and regulatory solutions in Europe and APAC at RBC I & TS .
Asset managers who are only now just figuring out quite what MiFID II means for their businesses appear to be particularly behind the curve . “ Many financial institutions are still in the early stages of GDPR compliance , mainly because a lot of organisations have been busily implementing MiFID II and certainly are at an earlier stage than we would have anticipated given the deadline .” said Mark Browne , partner at law firm Dechert in Ireland .
GDPR is an enhancement of existing data protection rules , detailing that financial institutions must acquire consent from consumers to use their data , and gives people the right to be forgotten . GDPR also requires that organisations provide clients with a comprehensive explanation as to what their data rights are and how information is used .
Welcome development Such clarity over consumer data rights is a welcome development . A few years ago , two researchers from Carnegie Mellon took it upon themselves to calculate how long it would take the average American to read through all of the privacy policies which they sign up to . The number they arrived at was 76 work-days .
GDPR also mandates that organisations have mechanisms in place to avert or manage data breaches . “ GDPR puts a lot of emphasis on ensuring companies have processes and controls in place to protect data . In the event of a breach ,
14 // TheTrade // Spring 2018