GDPR Benchmarking

On January 26, 2017 Sidley hosted “Data Protection in Finance 2017: GDPR Readiness – Strategies and Practice” in association with DataGuidance. The interactive conference provided opportunities for networking with industry peers, as well as a full day of informative panel discussions focused on practical steps to achieve compliance with the EU General Data Protection Regulation’s (“GDPR”).

During the conference, a benchmarking exercise was undertaken to better understand the status of GDPR projects in the financial services industry. Of the attendees who responded to the benchmarking exercise:

  • 79% of the participants had already started their GDPR project.
  • 58% stated that the compliance department will take the lead for their GDPR project.
  • 37.5% considered the availability of budget and resourcing to be the biggest challenge for managing the GDPR project followed by the GDPR requirements themselves (30.5%).
  • 79% felt dealing with accountability requirements (e.g., data mapping, designating data protection officers, data protection impact assessments etc.) would require the most amount of effort.
  • 83% of participants will use external advisors to assist with GDPR compliance.

The GDPR was adopted in April 2016 and will enter into force in mid-2018. The GDPR, which is intended to create a single law on data protection across the EU, will have a significant impact on financial services institutions, funds, managers and advisers (“FS Businesses”) in Europe.  Importantly, GDPR will also significantly affect FS Businesses outside of Europe, such as in the U.S., that collect data on Europeans through offering goods or services to or monitoring Europeans. This is particularly important given the significant fines being introduced by the GDPR for non-compliance of up to 4% of annual worldwide turnover (gross revenue).

FS Businesses impacted by the GDPR may wish to consider carrying out an internal gap analysis of current data protection practices as compared to new requirements and rights under the GDPR. Please visit our GDPR resource page for some practical steps for implementation.