How can wealth management firms become compliant with EU GDPR?

Olive Hawkins
May 8, 2018

It is widely recognised that customers' personal data must be given greater protection than existing regulation has previously allowed for.

Art. 33 GDPR introduces a new mandatory requirement for data controllers to notify the regulatory authority of personal data breaches with no undue delay and, where feasible, within 72 hours of awareness, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. As businesses, you will have to review your practices to be able to show you have complied with the new requirements for handling data. "Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or adjustment, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Art. 4 (2) GDPR).

Art. 13 and 14 of the GDPR require data controllers to provide much more detailed information to data subjects about the processing of their personal data (e.g. details of the period for which personal data will be stored, details of the data controller's legitimate interest, the data subject's right to withdraw its consent to the processing, the existence of rights to make subject access requests). The company stressed that the move is "to design for privacy in our business practices", rather than rely on the move as a shortcut to GDPR compliance. The GDPR applies to any business established outside the European Union that targets its activities to an European Union market.

As a practicing attorney that has been dealing with domestic and global data privacy for over 20 years, I can confidently state that the GDPR is comprehensive, but complicated. Ozar noted that: "As a consumer, I love a lot of things about the GDPR", though pointed out that the penalties for noncompliance-€20 million or 4% of annual worldwide revenue-"are terribad".

GDPR goes beyond trade data, as seen with MiFID II compliance, by setting out new responsibilities for the financial sector to adhere to regarding any personal data. A lack of standardisation in laws relating to data privacy has made it hard for businesses to ensure that they are not in breach of any law across jurisdictions. In fact, it is estimated that of the companies that will be subject to GDPR, as many as half will not be ready for the compliance deadline - but it is not too late to begin preparing.

Chelsea heads into final week in top-4 chase
And the Blues have two matches with mediocre teams remaining, so it is highly likely that they grab six of the remaining points. You would not say the same about Liverpool , however, and that must also be a worry for Klopp.

In Nigeria, the largest rescue operation of the hostages
About 110 girls were kidnapped on February 19 by Boko Haram from a school in Dapchi town, and most were later released. The army says it has rescued over 1,000 people who were captured by the Boko Haram insurgents in Borno state.

Afghan helicopter raid killed or injured over 100, says United Nations report
Civilians have been killed during attacks by the Taliban and operations by Afghan government and US forces in recent years. The UN says it can not confirm whether those killed were civilians, or whether the Taliban were present.

Still, many organizations have not taken these critical steps.

The additional security measures that are enforced under GDPR reduces the likelihood and severity of a data breach, and makes data much more hard to access in the event of a cyber-attack. All companies however, regardless of size, should consider how GDPR applies to their business.

Individuals can also object to being solicited through direct marketing based on information collected and have the right to move data collected to another entity. Using an operational data hub - a virtual filing cabinet, built on a flexible, enterprise-grade NoSQL database with integrated Google-like search, which can hold a single, unified 360-degree view of all data - can pay dividends for data challenges where the data and requests from regulators change over time.

Michael Cohen is a principal and the privacy officer at the Gray Plant Mooty law firm, where he advises clients on legal matters involving data protection, privacy and security.

Other reports by

Discuss This Article

FOLLOW OUR NEWSPAPER