With regulation such as Mifid II taking up a significant amount of time and energy for wealth managers, the implementation of the EU General Data Protection Regulation (GDPR) has fallen down the priority list for many firms.
Passed by the European Parliament in April 2016, the new rules signal the most important change in data privacy regulation for more than 20 years and come into effect next May.
Headline-grabbing new rules wrapped up in GDPR include the so-called ‘right to be forgotten’ and the need for larger firms to hire a dedicated data protection officer.
However, there are fears some wealth management firms could leave themselves open to huge fines and reputational damage if they are not ready.
Andrew Watson, head of regulatory change at software and consultancy provider JHC Systems, said GDPR “should not be an afterthought”.
“Despite the fact that we are now only a year away from the introduction of GDPR a lot of businesses remain unprepared and some still don’t even realise that they will need to comply,” he said.
“Currently many firms are focusing on the arrival of MiFID II, but solutions for both measures need to work in tandem.”
Penalties for not complying with the new rules could rise to €20m, or 4% of a firm’s annual turnover, but one in four businesses admitted being unaware of GDPR changes in a recent Ipsos Mori poll.
Michael Corcione, managing director for cybersecurity and data protection at Cordium, said: “A lack of preparation will be the main challenge facing wealth managers.”