Data Privacy - Who Are We Really Looking After? A Positive Case For Compliance
“Probably the worst word they could have used.” This is a quote from a very senior cyber security professional that my company engaged with soon after hearing about GDPR in 2015. I assumed, for a while, that he meant “Global” because we all had presumed (wrongly) that the “General” was actually “Global” in General Data Protection Regulation. We all felt that the EU was attempting to extend its powers beyond its borders. It was only after delving deeper we realised that he meant Data.
His opinion was that it would be given to the wrong people to work out a solution. Then I understood; it isn’t IT and it isn’t about Data. It’s about control of your environment and misuse of data and misuse of business processes; giving this to IT people to solve will only lead to the motive behind the legislation becoming diluted. I had to agree.
The rules around regulation since the crash of the market in 2008 have one thing that is consistent across all. From banks to brokers, from AI managers to traditional long only funds, from HFTs to their exchanges counterparts, the rules are applied to control operations and behaviours to make them transparent to the regulators, Governments and the public combined. No country or supranational body has written rules that address the way things must be done and how to do them. They have set guidelines that they wish people to achieve and they have layered those guidelines on top of each other with every move. SMR covers areas that MAR covers, that covers areas that MiFIR does, etc. and none of that is about the data and neither is this. If you are doing data audits, stop and think again. You need to be auditing your processing of that data, not what it is. It’s your processes you need to control and good rules around the data follow from that.
GDPR and the DPB are another attack on the perceived lack of control and lackadaisical mindset of business when it comes to thinking about the public at large. Interestingly though, they haven’t stopped this at our industry, but made the scope of the legislation to include all companies, public authorities and government. The Investment industry and its wider financial services cousins were for once, not the first target. The big data companies like Google, Facebook and Amazon are clearly in the crosshairs first, hence they have been trying to manage this problem for two years. This does not mean for one second that we can hope to hide in plain sight. The regulations are working together and will be used by financial services regulators as another determination of whether appropriate controls and behaviours of organisations are in place, and the finance industry is way behind in its response to this. Apathy, along with regulatory fatigue, are the primary culprits, in Eyestorm Advisors’ opinion.
In case of point, many of the rules that GDPR is looking to pursue with such vigour are already in place but not so one would know it. The Data Protection Act (UK regulation GDPR is superseding) already makes it possible for an individual to check which information you hold upon them (GDPR names them Subject Access Requests). Marketing has strict rules that prevent who can be contacted by what medium and what is deemed reasonable.
So why the big deal now?
Sheer weight of purpose, of course. The full force of the law is going to fall on those that deem these things to be “optional”, as one could say they are now. The recommendation to most business in the past has been that the law doesn’t take this particularly seriously (a maximum fine of £500,000 is not small but to a multi-national, it really doesn’t warrant panic) and the reputational risk is probably the biggest reason to do the right thing rather than the statutory responsibility.
The administrative fines are going to be able to be made much, much, bigger, (up to 4% of your group turnover). This should make anyone stop and take this seriously. Funds should also be very worried about the threat of class action lawsuits and the reputational risk of data breaches made whole through lack of control.
Put yourself in the minds of your customers. Would you keep your money with a fund that can’t look after your personal details? How effective will the management of money be if asset managers must manage to pay the fines from their fees? The adage that “the customer always pays for every fine” is something that your investors are going to take very seriously. Let them down with this and you are deemed to be untrustworthy; not a good place to be.
Next, there are also mandatory reporting times of 72 hours for breaches that may affect a data subject’s privacy (a data subject is the living person who loaned you their personal data for you to keep secure). Hiding from the regulator and smoothing things over is not the way to be meeting your obligations. Fines will be punitive for covering up and criminal charges will be brought. The regulators have specifically requested and been given this power. They will use it.
This is not a tick box exercise. Recently, we have seen companies (software and consulting firms) offering to make sizeable organisations compliant in a few days, mostly by giving them an App to use. Managing lots of other peoples’ money comes with obligations and compliance cost and the market is looking to spend as little as it can. However, any business that thinks that this a regulation they can pay lip-service to needs to ask themselves this question. When the ICO comes to audit our organisation on the back of a complaint, what will they be satisfied with? Anyone who has been audited by the FCA, PRA or any other of the financial regulators around the globe will be fully cognisant of the type of response an asset management company is likely to receive if it shows that it has not taken its obligations seriously. The regulations around GDPR have criminal sanctions attached to them for senior individuals deemed responsible. C-suite executives minds are being challenged, their approach to this is being questioned and “sticking plaster” simply will not do. The DPB goes even further making all data relevant to the rules and not just privacy data, so any thoughts that, post-Brexit, the burden may be lessened, is incorrect. It is going to be more stringent, not less. A comprehensive review and automation to make the tasks less onerous are going to be a must.
So, Who Are You Really Looking After?
No, seriously. The criminal sanctions alone make this a potential prison sentence for those that aren’t treating their obligations seriously. Health and Safety Legislation, when introduced, was seen as being optional and aspirational when first applied. Criminal convictions followed and now everyone takes their obligations as sacrosanct. If the idea of prison doesn’t worry you, then the reality of it might.
2. Your Customers.
It is in the best interest of any fund to have absolute trust between themselves and their customers/clients/investors. I wouldn’t wish to care to explain to my investors how I had managed to lose their personal data. I am sure that no one would. Funds need to recognise that one severe breach could become an extinction level event.
3. The Integrity of the Industry.
Too many bad headlines in the newspapers. Too many damning articles on TV news. No one wants to see that situation return. The industry has a chance to win this one and be properly compliant and show the way to the rest of business, and the public sector. Our industry knows how to deliver complex regulation has the mechanisms to do so. A bit of good publicity would come as a welcome riposte to the tidal wave of criticism we have all had to endure.
The positive advantages of being compliant need their case made.