2019 – a year of change
2019 is likely to go down as one of continued focus on culture within regulated firms, but there's still more work to be done.
Is it really almost a year ago that the new GDPR regime (DPA 2018 in the UK) was implemented? Well, 25 May came and went, and we carried on - we wrote and published our new Privacy Statements, did our data audits, trained the staff and updated all sorts of material and processes.
I am sure that in some firms, this is now a distant memory and it’s very much business as usual and the hullaballoo has been forgotten about (Y2K similarities perhaps?) But, therein lies a potential problem waiting to surface.
GDPR was not a single job to deal with and park, like most regulation, getting it in place is sometimes the easy bit (although I admit, it may not seem like it!) Keeping it up to date and relevant is not to be taken lightly and is an ongoing task which links directly to a firm’s culture and governance.
Alas, we hear of firms (not just financial services) who do not check the TPS which can cause the Information Commissioners Office (ICO) to look more closely.
Anecdotal evidence from the ICO has pointed to a very significant increase in firms who are self-reporting data breaches. This is a good position in many ways as it shows that the matters are being taken seriously. However, the ICO does have a concern that many of these reports are not actually serious enough to warrant a breach notification and can be dealt with ‘in house.’ So the message here is that firms should revisit what the ICO and the Data Protection Act 2018 classify as a reportable breach and ensure that internal procedures reflect what is needed.
Financial services will always be under ICO scrutiny and although we’ve seen little visible activity, that isn’t to say that anyone should be complacent. Data protection forms part of the Business Model threshold condition and breaches will not be seen favourably by the FCA which in turn may provoke a detailed investigation into other business practices. Like most things, prevention is better than cure.