Tag Archive for: GDPR

Those of you trawling through Waterstones best sellers and bargain books (other book shops are available) may not have stumbled on the FCA Business Plan 2018-19.

You may be under the impression that after the excitement of MiFID II and GDPR, there is a lull. Indeed, there appears to be a period of grace but this, unfortunately, is a false dawn. The business plan outlines some 12 reviews, 8 publications and numerous other activities across all financial services.

Some of the “highlights” include the proposed Suitability Review 2019. A follow-up version of the highly successful 2017 review.  (Is it me or do we seem to be following the same naming convention as the FIFA video game?)

The thematic priorities, which will have diverse methods of addressing and review, are:

  • Culture and governance
  • Financial crime and AML
  • Data security, resilience and outsourcing
  • Big data and fintech
  • Treatment of existing customers
  • Pensions
  • High cost credit

Key priorities within these themes are finalising the rules of the Senior Managers and Certification Regime and monitoring the roll out of technology and resilience as part of the Open Banking and the second Payment Services Directive (PSD2) (with the ability for third party providers to access a client’s data and make payments, this will be an important test of the security of this directive).

Introspectively, the FCA are also testing and applying RegTech and advanced analytics to the approach to regulation which may open the door for firms to move to similar schemes. Also, the FCA will be creating a Memorandum of Understanding with the Information Commissioner’s Office. This may lead to a focus in certain reviews and questionnaires on data security.

We have not heard the last of MiFID II either and, although to date, a collaborative approach has been taken, we may see considerable more depth to the monitoring, particularly transaction reporting and the inconsistent approach to research costs.

So, enjoy the summer’s fine weather, holidays and sport and look forward to the next year or two’s regulation with a spring in your step and a passport in your hand (Brexit allowing of course).

As more details become available on each of the areas, we will publish a short pragmatic guide on what they mean and what you will actually need to do.

With a couple of months to go until GDPR becomes law, how far up (or down) the Information Commissioners 12 steps are you from compliance?

We would like to give some practical guidance and advice, as well as share our experience to date. Projecting aren’t compliance experts (and don’t pretend to be) but our experience recently has demonstrated that, as with most other compliance projects, the practical application of the regulations requires an operational brain with a compliance awareness and that’s where our clients have been utilising Projecting.

So, here are our top tips:

  • Having a clear Data Policy that covers clients, employees, and vendors
  • Communicate clearly with all of these groups on their rights and data retention procedures
  • Take the opportunity to assess and clean up personal data repositories and anywhere else you keep personal data internally
  • Use this as a marketing opportunity to affirm data security with your clients
  • Document your impact assessment fully, i.e. in and out of scope regulations
  • Be clear about being a data controller, data processor or both
  • You may never get an exhaustive list of the business areas that are impacted, and which functions, but keep communicating and importantly, training, and you will reduce the risk of gaps · Utilise the Information Commissioners website (ICO)
  • Don’t be distracted by some of the esoteric impacts suggested, e.g. business cards – stay principle focused

So, we haven’t provided all the answers, and would never hope to, but rather than be as prescriptive as a management consultant, we want to share the pragmatic and not the enigmatic. As with all regulatory projects, we hope that this will assist in putting context and focus on the GDPR project you are undertaking.

And it won’t surprise you to know that we are covering all of the above in our own, internal, Projecting GDPR project!