It’s estimated that more than half of organizations across the EU are still unaware of the GDPR, said Jane Murphy, Founder and President of the European Data Protection Office.
“Unawareness of the extraterritorial reach of the GDRP is also an alarming fact. A vast majority of companies outside the EU don’t realize that the GDPR will also apply to them if they offer products or service to people in the EU (against payment or even for free) or if they monitor the behaviour of people in the EU (for example by the use of profiling). They also ignore the fact that part of the compliance requirements includes the legal obligation to designate an EU representative for GDPR purposes. Given the very stringent sanctions that apply in the event of non-compliance with the GDPR (up to 20 million EUR or 4% of global turnover, whichever is highest), awareness is not only urgent, it’s crucial” Jane continued her answers.
Without going into every detail of the new Law Picking Alpha has asked Jane Murphy to answer the cornerstone questions for our readers.
Q.: What is GDPR and how does it relate to the financial industry?
J.M.: The GDPR is a new landmark privacy regulation that will apply as of 25 May 2018. It’s being called the world’s strictest data privacy law. It aims to expand and unify data protection rights of individuals in the EU and has unprecedented extraterritorial reach. The GDPR will have an impact on numerous industries but it’s expected to particularly affect the financial industry due to the large volume of personal data that is processed by financial services institutions and the type of services that they offer. The use of big data, telematics, digitalisation, profiling and new technologies will raise privacy and security concerns that will inevitably have to be dealt with within the framework of the GDPR.
Q.: Financial world has just started to implement MIFID2, now there is GDPR to worry about. Is there a connection and if yes, what it is?
J.M.: Yes, there is definitely a connection and it may lead to a “disconnect” in a number of areas. For example, MIFID II requires that financial services firms process a very large amount of personal data (e.g. related to customer transactions) while an underlying principle of the GDPR is data minimization. Because MIFID II companies are going to have to store a lot more personal data, they will likely increase their use of cloud services and this will in turn increase their challenge to keep data secure. Another example is MIFID II’s requirement that firms record all telephone conversations related to deals. How will this affect, amongst others, the use of company (mobile) phones by employees when the phones are also used for personal calls? The best way forward for financial institutions will be to ensure that MIFID II and GDPR teams work closely together so that adequate technical and organizational measures are put in place to comply with both sets of legal requirements.
Q.: In your opinion what sectors / industries are in the high risk category?
J.M.: The GDPR will pretty much affect every sector and industry in one way or another. In terms of impact, the industries that will be at higher risk will be those that process high volumes of data (for example, financial services, retail, travel, tourism, marketing, media, telecoms) and those that handle sensitive data (healthcare and medical information).
Q.: What can companies do themselves and what should they outsource to the specialists?
J.M.: The answer really depends on the company, the business that it’s in, its implementation approach and the available internal resources. Compliance with the GDPR requires time, skills, knowledge and experience in various areas (legal, IT, risk, security, etc.). And let’s not forget the budget!
Jane Murphy is a Belgo-Canadian lawyer who was born and raised in Canada, where she qualified and worked as a lawyer before moving to Belgium 25 years ago, where she also qualified as a Belgian lawyer. Her legal practice focuses on GDPR, corporate law, M&A and corporate governance. Jane is the Founder and President of European Data Protection Office (EDPO). She is also an independent non-executive board director and member of various committees (audit, risk, legal, compliance, remuneration and corporate governance) of listed companies Ageas (Belgium and France) and Elia and of the non-listed company Puilaetco Dewaay Private Bankers. Jane is Vice-President of CanCham Belux and a regular speaker at events related to GDPR, corporate law and Canada-Belgium relations, in particular within the framework of CETA.