With a quarter of businesses in finance and accountancy sector totally unaware of the EU General Data Protection Regulation we interviewed John Culkin, Director of Information Management, Crown Records Management to find out about the regulation and what financial businesses can do to prepare.
The EU General Data Protection Regulation is back in the news after EU politicians met on June 24 to begin the ratification process. What is the update for the banking and finance sector?
The update is that we are edging nearer to an agreement after ‘trilogue’ discussions between the EU Commission, European Parliament and the Council of the EU got underway. Another meeting is planned in July and the stated aim is to ratify the Regulation before the end of 2015, under the current Luxembourg presidency. Whether that will be possible remains unclear. But I think we can be pretty certain that the general principles behind the Regulation are already agreed and that businesses should start to prepare.
Can you sum up exactly what the EU General Data Protection Regulation is and why is it being brought in?
The EU wants to reform data protection and cut red tape for businesses across Europe by bringing in a single set of rules. In future there will be one single Data Protection Authority (DPA) responsible for each company, generally reflecting where its headquarters are based. The Regulation also aims to protect the rights of European citizens to have control over their personal data.
Who will it affect?
Any business that operates from within the EU, does business with companies inside the EU, stores its data in EU member countries or handles the personal data of European citizens.
Having written white papers on the subject, what is your gut feeling around how well prepared the industry is for the changes that lie ahead?
I think there is reason for concern because many businesses in the UK and in particular in the finance sector are either unprepared or even in some cases unaware of the changes.
At Crown Records Management we recently commissioned a Census wide survey to assess what people knew about the Regulation and what they were doing to prepare for it.
The sample was 407 IT decision makers in companies with at least 200 employees, so it was significant; and the results were interesting.
A frightening 22.8 per cent of respondents in the finance sector admitted they knew nothing about the new Regulation, for instance.
Some other headline figures were that almost 50 per cent of companies in the finance sector said they weren’t yet planning to review policies ahead of the new Regulation.
Almost 60 per cent do not yet have plans for staff training – and a quarter are planning to wait for the Regulation to come in before deciding what to do.
A quarter of respondents being unaware of the Regulation is a big figure when you consider it could be ratified in the next few months. Did it surprise you?
No, I don’t think the results surprised us but they did indicate very clearly that many businesses in the finance and accountancy sector are leaving it dangerously late to prepare for the new Regulation and are worryingly uninformed.
You do wonder if people have grasped the enormity of what lies ahead. Around 38 per cent of respondents in the finance sector said they were either not concerned or only ‘quite concerned’ about the changes.
But for people to say they are ‘not concerned’ means they are not concerned about potential fines of 100m Euros, or five per cent of global turnover.
The important question is not just whether businesses are worried or not, but whether they are being proactive and taking early action to prepare.
How does the banking and finance sector compare to others?
It certainly isn’t leading the way according to our survey results. In the legal sector, for instance, only 8.7 per cent were unaware of the new Regulation. Those in the public sector, facilities management and retail sector were also better informed.
It’s not to say the industry as a whole is in the dark because many companies are well prepared and on the ball; but certainly there is room for improvement.
Almost 50 per cent of companies in the finance sector said they weren’t yet planning to review policies ahead of the Regulation, almost 60 per cent have no plans for staff training.
Compare that to the facilities management sector where 60 per cent are already training staff, or to the insurance sector where 60 per cent are reviewing policies, and you can see there are considerable differences between sectors.
How much time should businesses leave to get ready for the Regulation?
There are many aspects of preparation which take time. Undertaking an information audit is just the start. Processes may need to be updated following that audit. Companies may need to employ a Data Protection Officer – and the good ones will be in demand. Training staff can take considerable time, too.
But it’s not all negative. I think companies need to wake up to the commercial benefits of complying with the new Regulation early, too. Consumers are going to be attracted to businesses that comply.
It is too easy to say that 2017 is a long way off or that, with the final details not yet confirmed, there is time to take stock. The reality is that time is short and the changes required significant; so the time to act is now.
What will be the most challenging aspects of the Regulation?
With so much focus on how the data of European citizens is stored and handled, businesses will face a serious challenge to get their processes in order.
To begin with they will need the specific and freely-given consent of data subjects to collect data in the first place. Data must be accurate and up to date. The policy of ‘privacy by design’ means data protection should be at the heart of all processes.
Citizens will have the right to view their data and ask for it to be edited. The ‘right to erasure’, which has already struck Google, will add further complications as companies will be expected to find and edit large amounts of data quickly – and will need processes in place for data subjects to make those requests.
The threat of data breaches will no longer be a concern only for data controllers but also for data processors as huge fines are introduced across the board.
The Regulation requires companies with more than 250 employees to appoint a Data Protection Officer. Smaller companies which hold more than 5,000 personal data records will have the same requirement. For many it may be more sensible to outsource this post; but the financial implications of the new Regulation will also be a concern.
What are the biggest concerns for the finance sector?
Respondents in the Crown Records Management Survey placed the difficulty of implementing the Regulation as the biggest concern, followed closely by the ‘right to erasure’, and the cost of implementation. Clearly there is work to be done to prepare in the coming months.