Posted: 25 May. 2018 12 min. read

What can you learn from the GDPR for your next regulatory programme

With the EU General Data Protection Regulation (GDPR) implementation date upon us, we’re taking a look at the most common errors we’re seeing in financial services (FS) firms’ approaches to their data programmes in readiness for the deadline and for ongoing compliance. 

  • Too much looking at the regulation instead of the regulator.

    GDPR is a huge, sprawling array of rules and regulations. It’s a 160-page long document containing 99 separate articles and even more specific provisions, many of which will be open to different interpretations. Ensuring immediate compliance with each provision of GDPR is nearly impossible, regardless of the resources poured into the project. You need to prioritise. Unfortunately, too many FS companies are so focused on the regulation, that they are ignoring the regulator. This is an error, because we have seen numerous bodies charged with enforcing the regulations around Europe offer helpful signals as to what they see as the clear priorities. Whilst all FS firms are asking themselves how they are engaging with the new regulations, not enough are asking about their relationship with the regulators.

  • GDPR readiness is being treated as an isolated programme. 

    Given the task of ensuring GDPR compliance, most FS companies have created specific project teams to manage the process, with significant numbers of staff working full-time on the issue. This is understandable – GDPR compliance will require a significant workload and so a dedicated team of GDPR experts is vital. However, we’re seeing too many isolated programmes and separate business processes being created around GDPR compliance. In reality, the breadth of the new regulations is such that it will require knowledge and input from vast numbers of company staff, not just a dedicated team. Firms need to focus on integrating GDPR compliant processes with all existing systems and processes.

  • One day of shining compliance, and then…? 

    The 25th May is the first day on which FS firms are required to be GDPR compliant. However, it could turn out to be the day they have the greatest level of compliance to the GDPR. Whilst there’s nothing like a deadline to set the mind to task, deadlines don’t always produce our best work. Naturally, the 25th May has some GDPR project teams a little scared, with many worried that new systems and processes won’t be live in time. As such, teams are rushing to ensure these new systems and processes do go live in time, without necessarily building the sufficient sustainability into those systems and processes. Once that one shining day of compliance on the 25th May has passed, the project teams will dissipate and so might the new systems and processes. Firms need to worry more about building a sustainable response to GDPR than they do about the 25th May.

  • GDPR programmes are not being built for business-as-usual 

    Project teams implementing GDPR compliance are, naturally, making decisions with the objective of completing the programme in time for the 25th May. This might seem harmless enough, but it’s a subtly dangerous objective. By prioritising readiness above all else, GDPR project teams aren’t being encouraged to ensure new systems and processes work with minimal disruption to business-as-usual. Objective setting at the start of a project is of course crucial, as being just one or two degrees off course from the outset can eventually lead you far astray from the optimal place. Only when you’ve strayed too far do you recognise the error, and as GDPR compliant processes are integrated with business-as-usual, only then will we see the real scale of the problem.

  • GDPR is seen as a cost and an inconvenience, rather than an opportunity

    We know how most businesses feel about new regulations, especially broad sweeping regulations that require some significant changes. These kinds of regulations are viewed at best as an inconvenience, and at worst as an extensive new cost or tax. This is not the best way to look at GDPR. Will it cause inconveniences and cost money? Absolutely. But the best response is to also see the opportunities created by the new regulation. GDPR is – along with other new regulations – forcing firms to get their data in order and building greater trust with their clients by being transparent about the data they hold. This creates enormous opportunities, but those opportunities will go unrecognised if GDPR is viewed solely as a drain on business.

Ready or not, GDPR is here, and the stakes are high for financial services companies. The road to compliance may be challenging but underestimating or underpreparing could pose greater issues for firms. The road to GDPR is a marathon, not a sprint. Similarly, the 25th of May is not a finishing line, but the start of building increased trust with customers and delivering better outcomes.

I’d welcome your thoughts or queries on GDPR’s impacts on the industry. 

Key contact:

Stephen Bonner

Stephen Bonner

Partner

Stephen is a Partner within Deloitte’s Cyber Risk Services practice with over 5 years of security consulting experience and over 20 years of financial services industry experience. In particular, Stephen ran global security teams and was accountable for Cyber Security, Records Management, Data Privacy and Identity and Access Management for a global FS institution. Stephen is a Founder Associate Member of the Institute of Information Security Professionals. He won Information Security Magazine Security Seven award 2006, ISE UK Project of the Year award 2008, SC Magazine Best Security Team 2006, Team of the Year 2009, Person of the Year 2009 and Project of the Year 2010 and was inducted into the InfoSec Hall of Fame 2010 and ranked #1 in Most Influential in Information Security by SC/ISC2 2010.