The General Data Protection Regulation, with the primary aim of strengthening the data rights of EU residents, went live on 25th May 2018. EY recently conducted a survey of funds organisations in Ireland, to understand where they are in terms of their GDPR implementation progress and the measures embedded internally. The survey also sought to assess the effect of GDPR implementation on the respondents’ relationships with their third party vendors. Organisations selected for the survey consisted of both data controllers and data processors across the value chain, including depositaries/custodians, fund administrators/transfer agents, investment managers/management companies, and MiFID firms.
‘Data Controller’ or ‘Data Processor’?
Compliance with the regulation requires organisations to determine whether they have the enhanced responsibilities of a ‘data controller’ or if they are a ‘data processor’. For the manager/management company respondents, opinion was divided – a majority said they were a controller, some said they were both a controller and processor in equal parts, while still others said that they were primarily a data controller but also a data processor. This lack of clarity on responsibilities when processing data was reflected across the industry.
Almost 40% of organisations to complete their GDPR Programme in 2019
In line with other financial services industries, up to 40% of respondents highlighted that, following go-live, some of the required capabilities are outstanding – albeit, measures are in place to close these gaps by Q4 2019. These include the necessary monitoring, testing and reviews processes (47% outstanding), contractual updates, for example, with third party contractors (47% have yet to close these), and the largest capability to be addressed by organisations – data minimisation and anonymisation. At the point of the survey, 67% of respondents with outstanding capabilities highlighted this as a gap.
No uplift in data privacy rights requests
In the run up to the May 2018 deadline, all respondents implemented a process to manage requests and 87% issued emails to customers regarding consent and transparency, to ensure compliance with the transparency requirements set out in the regulation. As a result, a majority of the organisations received some enquiries from customers, although this did not translate into an increase in data privacy rights requests – 60% saw no change in volumes.
Benefits of GDPR Programme – reduced costs, increased alignment with evolving technology
Despite facing early teething problems in interpreting the regulatory requirements (over 30% of respondents struggled to understand the scope) and ensuring compliance (20% reported challenges in determining compliance among third party vendors), many noted positive impacts following their implementation programmes. These benefits were scattered across organisations, from Marketing to HR functions. The top benefits realised by organisations included streamlined processes and reduced costs – and opportunities to increase alignment with evolving technology.
Conclusion
The results of the survey demonstrate the significant progress made by the industry to comply with the regulation. However, the industry as a whole still has some way to go before being fully compliant, with many implementation programmes extending out to the end of 2019.
Please reach out to discuss the survey findings further or with any questions you may have about GDPR implementation in your own organisation.