We recently passed the 500 day mark to the long-awaited arrival of the EU General Data Protection Regulation (GDPR) into force. Described as the most ground-breaking piece of EU legislation in recent times, the GDPR aims to make businesses more directly accountable for data privacy compliance and offers the public more access to and control of their personal data. The new rules contained in the Regulation extend the scope of the legislation to apply to organisations anywhere in the world which process the personal data of EU citizens. The Regulation will have a significant impact for all organisations, not least those in the Financial Services sector.
The Irish Data Protection Commissioner recently stated in their guidance notes that it is imperative for firms to commence their preparation for the implementation of GDPR as soon as possible, “by carrying out a review … of all current or envisaged processing in line with the GDPR”.
Since the turn of the year and with the implementation date looming ever closer, we at Broadgate Search have seen heightened demand for Data Protection expertise across the Financial Services sector. It is now not possible to have a conversation with candidates or clients without GDPR being mentioned in some context.
Hugh Jones, COO at Sytorus, one of Ireland’s leading DP consultancy services, is already seeing movement among their clients to prepare for 2018. “Several EU agencies have now issued guidelines in terms of the areas for focus when preparing for the GDPR. We are working with our clients to conduct reviews of data quality, updates to their data management policies, changes to their contracts and introduction of new procedures – chief among them being the Privacy Impact Assessment and support for the already-infamous ‘Right to be Forgotten’!”.
There are several pertinent points from a recruitment perspective when considering the GDPR. Although an early draft of the legislation limited the criteria for the mandatory appointment of a Data Protection Officer, the final version has relaxed such restrictions.
Jones says, “Here again, organisations are giving a lot of thought to the nomination of their DPO – while the legislation is fairly scant on the role, it is nonetheless a key decision for any organisation. You will want someone knowledgeable on the legislation, familiar with the organisation’s processes, and senior enough to command respect and have authority to direct data management policy. That is not always an easy person to find!”
Findings from a recent study conducted by the Internal Association of Privacy Professionals, indicates that GDPR will result in the need for over 28,000 Data Protection Officer Appointments in Europe alone before the implementation date of 28th May 2018. More recent estimates by the EU
Commission put that figure at close to 70,000 by the end of 2020, according to Sytorus, as more organisations get wise to the strategic value of having a qualified specialist managing their data processing activities and protecting their brand.
Also, the need for more extensive and robust systems to minimise risk is increasing the need for Compliance professionals with an expertise in Data Protection. From an operational standpoint, we are also seeing roles being created within Financial Services firms for professionals with an Information Technology and Audit background to enable those firms deal with the first line implementation of the Regulation.
Similar to the 3rd & 4th Money Laundering Directives in previous years, Financial Services are now restructuring their Risk & Compliance functions in such a way that Data Protection is becoming a stand-alone function rather than sitting as yet another responsibility of the Compliance Officer.
We expect this trend to continue across the sector given that the legislation mandates the appointment of a DPO in certain organisations where core activities involve the “regular and systematic monitoring of subjects on a large scale or the handling of a large scale of special categories if data”. This will include medical, genetic and biometric data, CCTV footage, cookies deployed via websites, and the processing of PPS numbers in relation to employment or social welfare entitlements.
We must also bring the topic of reputational risk to the table when it comes to the GDPR. We are already seeing firms, who do not have an obligation to appoint a DPO according to the Regulation, choosing to do so from a ‘best practice’ perspective as they recognise the inextricable link between competent data management and the public perception of their brand.
Sytorus is already seeing a clear indication of risk awareness among their clients. “No organisation would willingly welcome the reputational damage, as well as the financial impact, of the new raft of administrative penalties provided in the Regulation. The role of a DPO will be integral to embedding an appropriate data management regime within the organisation in time for the Regulation in 2018,” according to Jones.
For further information or to discuss anything in the above, please feel free to contact one of our specialist consultants on 01 608 7748. If you wish to speak with Hugh Jones please feel free to contact him on firstname.lastname@example.org.