GDPR compliance - financial services firms are amongst those in the lead

08 November 2017

We recently surveyed 300 Chief Privacy Officers, Chief Information Officers, General Counsels, Chief Compliance Officers, and CEOs in US, UK, and Japanese companies about their General Data Protection Regulation (GDPR) programmes.

Not surprisingly, financial services are leading on GDPR progress along with companies in the telecoms and retail sector within the three countries. Only 8% of UK companies have finished all their preparations compared to 22% of US companies. This is likely to be because US data privacy regulation is currently a lot more stringent than the UK. In the past the Information Commissioner’s Office (ICO) hasn't arguably been as firm as US regulators as our data privacy law isn’t currently enforceable.

What should you focus on if you haven’t started your GDPR programme?

We found that 5% of UK companies have not started preparing for the GDPR. With less than seven months until the compliance deadline, these organisations risk regulator fines, litigation costs, and lost contract opportunities.

Your biggest risk is likely to be third parties, so it is essential that you check your third party contracts are GDPR compliant.

You also need to demonstrate to the regulator that:

  • you know where your data resides,
  • a breach handling process is in place,
  • you can respond to the rights of the individual.

171106-151613-LM-OS_V1_Graph 1 for web

The survey sample showed that UK companies are struggling most with privacy by design and data lifecycle management.

From my own observations, financial services organisations in the UK are seeing additional areas of challenge, namely:

  1. Data discovery – The challenge is specifically around identification and management of unstructured data.  This is data that in excel files, paper documents, voice recordings etc. residing in file shares.

  2. Subject access requests - The challenge of dealing with increased subject access requests and how this will open up other challenges, such as potential litigation if the data is not up to scratch.

  3. Retention – Clearing data that is no longer required and data that has been held in data stores for many years.  The easy part was getting it in, the challenge is now getting it out!

  4. Breaches – Defining what should be reported to the regulator versus what should be managed through your internal risk management process and what really constitutes a breach.
  5. Third parties – Many organisations deal with multiple third parties who process data on their behalf.  The challenge is updating contracts and ensuring that the third parties take responsibility in becoming GDPR compliant.

How much should you spend on your GDPR programme?

Of those companies that have completed their GDPR programme, 40% of US, UK and Japan reported spending more than $10 million. The pattern of increased spending was consistent regardless of company size. 

171106-151613-LM-OS_V1_Graph 2 - for web (1)


Driving competitor advantage - the GDPR and investor relations

The survey found that some companies see their GDPR programs as a potential differentiator in the market. Among companies who believe they have finished their GDPR programmes, 38% have engaged their investor relations departments, an indicator that they hope to highlight early compliance to help drive competitive advantage.  These companies should also look to extend this confidence out to their customers to strengthen customer trust in their business before the GDPR goes live.

Rav Hayer | Partner
Profile | Email | +44 (0)20 7213 3451
Follow @ravhayer06


Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated and will not appear until the author has approved them.