As we get ever closer to GDPR day in May 2018, there is still a sense that many firms are some way from being ready. For example, a recent Netskope report looked at GDPR readiness among enterprise cloud services, and found that almost three-quarters of cloud services still lack key capabilities to ensure compliance.
Despite this, I still believe that most bigger firms will get their houses in order and ensure they are GDPR ready by May 2018. This is especially so in Financial Services (FS), an industry that is more used to changing compliance and regulation than others. Such firms might not be that advanced right now, but have the resources and capacity to be ready by when they need to be.
Is that the same for smaller firms though, within both FS and other industries? While they would certainly be aware of GDPR – or so you would hope – they might not have the time, resources or know-how to get started in time. Have they got a data protection officer? Do they have the right internal controls in place? Are they even aware of the exact requirements?
Failure To Comply: The Consequences Of GDPR
We are now around six months away from the GDPR deadline. When that day arrives, an organisation failing to achieve compliance with GDPR could result in penalties of up to €20m or 4% of annual turnover, whichever is higher. This is a significant fine and a major step up from the penalties that were in place for anyone that breached the previous directive, which was established way back in 1995.
The sheer size of penalty should be enough to focus the mind of any organisation that GDPR applies to. But for a mid-sized or smaller financial institution, such a penalty is arguably more of an issue than for a bigger firm, where budgets are greater and contingency plans more developed.
Going beyond that, there is also the possibility of customer churn should an organisation not be at least in a position to explain to their customers and prospects how they will cope with GDPR, and have a minimum set of processes in place to enable them to do so.
Small Bank Challenges
The prospect of a GDPR penalty is another challenge for smaller banks. These are an important element of FS, providing competition to bigger and more established institutions. But it is hard to make yourself heard against such opposition, and the barriers to entry can feel prohibitively high. Smaller firms are not as well-represented as they should be in industry bodies and panels, so have less of a chance to influence regulation and compliance requirements.
The regulatory environment is in fact, growing ever more complex, and this complexity is a significant challenge for the smaller institutions. They do not have the HR resources, the industry voice or the tools required to stay on top of it all, and they are in danger of the business suffering as a result.
GDPR is the latest threat to smaller financial institutions, but their size and agility does mean they can address GDPR (and other regulations) effectively and smartly, with the right approach.
GDPR & Digital Compliance
Attempting to address compliance internally, or even with project-based external support, can be a risky approach, especially for a smaller organisation. If the project is subject to delays this can lead to additional financial costs that can be hard to find. So there is another option, supervised digital compliance. This method works by addressing compliance requirements – such as GDPR – as part of an overall continuous compliance programme. Because compliance is an on-going process, rather than a project that begins and ends, it’s an approach that makes much more sense.
It relies on the support of a range of external experts, consultants that are aware of compliance requirements and have the expertise, experience and know-how to ensure that nothing falls between the gaps. Working this way, supported by a digital tool that takes away the hassle of managing compliance, can be a real boon for smaller organisations looking to manage GDPR.
Supervised digital compliance removes the need for human input into a compliance system, which is costly (particularly for a smaller firm) and not always effective, given that humans are fallible and make mistakes on occasion. Such an approach offers a continuous and smooth process when addressing and ensures a better night’s sleep for risk managers and the board.
A smart, fast and cost effective solution for smaller institutions, in the financial sector and beyond, could be the difference when complying with GDPR. It’s not too late for organisations to comply by any means, but the time to act is upon us.