With only a few weeks until implementation, more than 50% of investment firms globally are unlikely to be ready for the General Data Protection Regulation (GDPR) on 25 May 2018. This is according to a global industry survey of over 250 financial firms carried out by Cordium and AmberGate.
How far through your GDPR compliance project are you?
Designed to benchmark investment management firms’ readiness for GDPR, the survey revealed a lack of preparedness in advance of the regulation’s implementation date:
- Only 2% of surveyed firms had finished putting their GDPR policies and procedures in place
- 59% of firms said they were unprepared to comply with the required 72-hour window to report a personal breach to regulators
- 64% were unprepared to respond to an exercise of data subject rights.
“Companies that have not yet started their GDPR program – or those still at the early stages – expose themselves to significant compliance and reputational risk. Lack of readiness is due to a failure by firms to understand their exposure to the regulation, as well as MiFID II’s earlier deadline, leaving GDPR to fall down the priority list. With just a four-week window firms should be practicing these procedures, not defining them,” said Michael Corcione, Managing Director, Cybersecurity and Data Protection Consulting Services at Cordium.
At present, which area generates the most pressure to comply with GDPR?
Robert Baugh, Founder and CEO, AmberGate, said: “The lack of GDPR preparedness in the industry is concerning, particularly given the risk of regulatory action and the potential impact to a firm’s reputation. Many firms will now need to divert significant resource and time to the project – there is clearly still much to do across most organisations. Firms will face growing pressure from an internal governance perspective, from investors, and from regulators likely to take an increasingly firm stance on the issue.”