We are now around six months away from the GDPR day of reckoning in May 2018, when organisations all around the world will have to comply with the new EU General Data Protection Regulation (GDPR). Yet there is still a sense that many firms are some way from being ready. For example, a recent DMA report looked at GDPR readiness among UK companies, and found that just 58% of those surveyed felt they were GDPR ready.
Despite this, with six months still to work with, I suspect that most bigger firms will get their houses in order and ensure they are GDPR ready by the May 2018 deadline. This is especially so in financial services, an industry that is more used to changing compliance and regulation than others. Such firms might not be that advanced right now, but have the resources and capacity to be ready by when they need to be.
Is that the same for smaller and mid-sized firms though, within both financial services and other industries? GDPR will apply just as much to those companies as it does the bigger businesses, and while they would certainly be aware of GDPR – or so you would hope – they might not have the time, resources or know-how to get started in time. Do they have the right internal controls in place? Have they got a data protection officer? Are they even aware of the exact requirements?
GDPR consequences for mid-sized firms
When that day arrives, an organisation failing to achieve compliance with GDPR could result in penalties of up to €20m or 4% of annual turnover, whichever is higher. This applies to businesses irrespective of size. It’s a significant fine and a major step up from the penalties that were in place for anyone that breached the previous directive, which was established way back in 1995.
The sheer size of penalty should be enough to focus the mind of any organisation that GDPR applies to. But for a mid-sized or smaller financial institution, such a penalty is arguably more of an issue than for a bigger firm, where budgets are greater and contingency plans more developed.
Going beyond that, there is also the possibility of customer churn should an organisation not be in at least in a position to explain to their customers and prospects how they will cope with GDPR, and have a minimum set of processes in place to enable them to do so.
Addressing challenges as a mid-sized firm
The prospect of a GDPR penalty is another challenge for mid-sized banks. These are an important element of financial services, providing competition to bigger and more established institutions. But it is hard to make yourself heard against such opposition, and the barriers to entry can feel prohibitively high. Smaller firms are not as well-represented as they should be in industry bodies and panels, so have less of a chance to influence regulation and compliance requirements.
The regulatory environment is in fact, growing ever more complex, and this complexity is a significant challenge for the smaller institutions. They do not have the HR resources, the industry voice or the tools required to stay on top of it all, and they are in danger of the business suffering as a result.
GDPR is the latest threat to smaller financial institutions, but their size and agility does mean they can address it effectively and smartly, with the right approach.
>See also: GDPR from a consumer perspective
Old compliance strategies insufficient in the digital age
Attempting to address compliance internally, or even with project-based external support, can be a risky approach, especially for a smaller organisation. If the project is subject to delays this can lead to additional financial costs that can be hard to find.
There is, however, another option: supervised digital compliance. This method works by addressing compliance requirements – such as GDPR – as part of an overall continuous compliance programme. Because compliance is an on-going process, rather than a project that begins and ends, it’s an approach that makes much more sense in the digital era that we live and work in.
It relies on the support of a range of external experts; consultants that are aware of compliance requirements and have the expertise, experience and know-how to ensure that nothing falls between the gaps. Working this way, supported by a digital tool that takes away the hassle of managing compliance, can be a real boon for smaller organisations looking to manage GDPR.
Supervised digital compliance removes the need for human input into a compliance system, which is costly (particularly for a smaller firm) and not always effective, given that humans are fallible and make mistakes on occasion. Such an approach offers a continuous and smooth process when addressing and ensures a better night’s sleep for risk managers and the board.
Sourced from Eric Berdeaux, CEO of OXIAL