Data regulations are about to get their biggest shakeup ever. There is now less than a month left before Europe’s General Data Protection Regulation goes into effect on May 25. The new rules have been looming in the background for months, but they’ve come to the forefront of people’s minds since the Facebook data scandal drove personal data into the spotlight. Americans may be quick to dismiss GDPR as a European issue, but the reality of global businesses and the digitalization of data means it’s a very real regulation that everyone needs to care about.
For wealth managers, understanding the implications of GDPR is paramount. Any company that processes data in the EU, or on EU subjects even outside the EU will fall under the regulations, and is subject to penalties. Noncompliance could mean fees of up to 4 percent of your company’s annual global revenue, or €20 million, whichever is higher. GDPR is meant to expand individuals’ control over how and when their personal data is used. That means if just one EU citizen visits your website and has their data collected, your company is subject to GDPR to allow that individual control over his data. And the EU has made clear that it won’t just be chasing down the Facebooks of the world to make sure its regulations are enforced. The United Kingdom alone is reportedly hiring a 200 enforcement staff.
Still questioning whether GDPR is going to affect you? Think about your client base. Many modern high-net-worth individuals are global in nature, meaning that they may be seeking wealth management services across borders. And think about how often data is used in wealth management. Often firms use automation tools to process data to assess things like a client’s risk appetite. The use of automated advice platforms to do data analysis or quick work through algorithms certainly uses clients’ personal data.
It’s the power of data that is at the heart of this battle. Companies, from social media to retailers to wealth managers, all use data to gain, serve and retain clients. The use of data isn’t going to go away, but many of the ways wealth managers use data today may have to change, or at least be thought through carefully. For instance, if a client wants your company to “forget” him, that means you have to respect his request for a data purge. Keeping that client on email lists would be considered a violation. Firms should be prepared for current, former or prospective clients to “opt out” or ask for deletions. If you’re a business with a large client list, you’re going to have to face the likelihood that the lists will shrink.
There’s no passing the buck under GDPR. Your firm is dealing with so much data to process and store that there’s a good chance you’re using an external data administrator. Under GDPR, you’re still on the hook for any data violations or leaks that happen when you’re using a data processor. Closer to home, this also means checking how your office handles data. Practices like encryption should already be in place in your office, but it’s worth a further look to make sure you and your employees are being careful about how you transport, use and share the data in your possession. Computers, mobile phones, external hard drives, or anything that carries client data, needs to be protected at all costs.
There may of course be some loopholes in all of this. After all its recent troubles Facebook is attempting to get ahead of GDPR regulations by removing some of its users from the EU jurisdiction. About 1.5 billion Facebook users in Africa, Asia, Australia and Latin America are tied to terms of service that link to Facebook’s Ireland headquarters—clearly falling under GDPR. Rather than deal with that added hinderance, Facebook will change its terms of service so that only Europeans fall under GDPR and everyone else will be subject to the more forgiving U.S. regulations, through Facebook’s California home. Such regulation finagling may be useful to some U.S. companies, but firms should still tread carefully.
The implementation of GDPR may seem scary, but it really isn’t all doom and gloom. The biggest hurdle we’re all facing right now is the fact that we don’t really know what GDPR is going to look like. Every single company is starting from square one to work toward full compliance with the regulations. You may find that your company already holds itself on par with or close to international privacy standards. Post-financial crisis regulations certainly upped the ante for all financial firms. You may find this as a good opportunity to revisit your business practices. The Facebook scandal has made even non-EU clients think more carefully about how their personal information is being used. This is all going to involve a lot of time, effort and money across industries to play it safe or face more expensive repercussions. Hopefully, as regulations kick off, more guidance will become available. In the meantime, you can assure your clients that their data is protected, and under their control.
April Rudin is founder and president of the digital marketing strategy firm The Rudin Group.