Other parts of this series:
Financial services institutions worldwide need to get their houses in order by 25 May 2018
What’s at stake?
It’s common knowledge by now that come 25 May 2018, anyone that handles personal information of European Union (EU) citizens will have to comply with the General Data Protection Regulation (GDPR).
Those who don’t comply with the new laws will face severe penalties: 4 percent of annual global turnover or €20 million, whichever is greater.
In this series, I’ll take you through the nuances of the new regulation and provide helpful guidelines on getting your HR function and people ready for GDPR.
Who does GDPR affect?
Human Resource personnel face substantial challenges when it comes to getting the business and its people GDPR-ready. Although GDPR includes a set of data management laws for the protection of EU citizens (including people from the UK), it has a ripple effect that reaches far beyond Europe.
Even companies located outside the EU that process and store data of EU and UK citizens will have to comply with GDPR. This means that the onus is on the company and its HR function to make sure their data protection systems are up to date and follow the rules of GDPR. In the new environment, no one can claim ignorance or procrastinate when it comes to data protection.
Four things will change under GDPR
Financial services (FS) institutions must be mindful of how the new data processing and record-keeping requirements will change many aspects of their business:
- Increased individuals’ rights: GDPR’s biggest goal is to protect any personal information that may identify EU citizens, no matter where it’s processed. This gives citizens the right to be forgotten, the right to erasure, and the right to portability. It shifts accountability to third-party data processors and demands that companies ask for unambiguous consent from citizens to use their data.
- Widened scope: GDPR provides a wide definition of “personal data” and tighter principles that will affect all EU data subjects, regardless of where the data controller or processor is located. There will be even more regulation than before, as well as new rules for how companies process genetic, biometric or pseudonymous data. Compliance teams headed up by data protection officers will likely need to be reinforced to be able to accommodate increased customer requests and be prepared to respond to any regulatory queries over and above the requests coming in from other regulatory bodies.
- Stronger enforcement and accountability: Governments, businesses and individuals will be able to lodge civil suits if companies don’t comply with GDPR. Furthermore, it’s up to data processors, not only controllers, to ensure that they keep to the rules. A data protection authority will conduct assessments and approvals to ensure compliance.
- Harmonization across EU: The European Data Privacy Board, as well as local regulators, will ensure compliance across the EU and beyond. This will enable a simpler legal landscape across the EU.
The main priority right now is to make sure your company is taking the right steps to be GDPR-ready by 25 May. Companies need to act now to create a strategy for the future.
This first deadline is only the beginning: FS institutions are well-advised to look to the future where we envision a next phase of even more structured constraints.
Businesses need to get moving now to improve their practices and build a culture of good data behaviour. At a minimum, it is important that companies are initiating the difficult work to be at least aware of the data lineage across their ecosystem—what data do they have; where does it go; what is it used for? This is no small feat, so it’s best to start right away.
To get started, get in touch or have a look at these useful resources: