Feb 22017

GDPR Benchmarking

William RM Long and Francesca Blythe
, , ,

On January 26, 2017 Sidley hosted “Data Protection in Finance 2017: GDPR Readiness – Strategies and Practice” in association with DataGuidance. The interactive conference provided opportunities for networking with industry peers, as well as a full day of informative panel discussions focused on practical steps to achieve compliance with the EU General Data Protection Regulation’s (“GDPR”).

During the conference, a benchmarking exercise was undertaken to better understand the status of GDPR projects in the financial services industry. Of the attendees who responded to the benchmarking exercise:

  • 79% of the participants had already started their GDPR project.
  • 58% stated that the compliance department will take the lead for their GDPR project.
  • 37.5% considered the availability of budget and resourcing to be the biggest challenge for managing the GDPR project followed by the GDPR requirements themselves (30.5%).
  • 79% felt dealing with accountability requirements (e.g., data mapping, designating data protection officers, data protection impact assessments etc.) would require the most amount of effort.
  • 83% of participants will use external advisors to assist with GDPR compliance.

The GDPR was adopted in April 2016 and will enter into force in mid-2018. The GDPR, which is intended to create a single law on data protection across the EU, will have a significant impact on financial services institutions, funds, managers and advisers (“FS Businesses”) in Europe.  Importantly, GDPR will also significantly affect FS Businesses outside of Europe, such as in the U.S., that collect data on Europeans through offering goods or services to or monitoring Europeans. This is particularly important given the significant fines being introduced by the GDPR for non-compliance of up to 4% of annual worldwide turnover (gross revenue).

FS Businesses impacted by the GDPR may wish to consider carrying out an internal gap analysis of current data protection practices as compared to new requirements and rights under the GDPR. Please visit our GDPR resource page for some practical steps for implementation.

William RM Long

London

wlong@sidley.com

Francesca Blythe

London

fblythe@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.