Privacy Nightmare And Hacker’s Dream – Part 1

Wendy Spires, Head of Research , 21 April 2020


articleimage

An institution may have immaculate technical and organisational measures in place under normal conditions, but we are in uncharted waters with so many wealth management staff working from home. This article looks at what this means for data protection.

Along with being our head of research, Wendy Spires, who is a Certified GDPR Practitioner takes a keen interest in all things related to data privacy in wealth management. This is Part 1 of a three-part feature examining the dangers facing the sector in its new working from home paradigm – and why compliance standards cannot be allowed to slip.

Amid all the gloom, the wealth management industry must certainly be thankful for the fact that the coronavirus pandemic has hit at a fairly well-advanced stage in its digitisation, and that it is at least possible for business to continue as vast numbers of people are confined to quarters all over the world. Health is of course the overriding concern, but worries about wealth are never far behind as markets gyrate and a global recession (or even depression) looms.

Firms should be acutely aware that a lack of responsiveness became a huge source of client dissatisfaction during the Global Financial Crisis and will want to pull out all the stops to keep clients informed and reassured. But the fact that they have to do so while having been bounced into a new working from home paradigm should also have under-prepared firms very worried once they think through all the implications. 

A reckoning to come

Standing only at “the end of the beginning” of this crisis, it may seem perverse to be focusing on what may seem like niceties such as compliance with the EU’s General Data Protection Regulation (and the equivalents on national statute books). We can be sure, however, that when the dust settles there will be a reckoning for any malpractice or negligence that may have occurred. And for those institutions whose houses were not fully in order, the backlash could be harsh indeed.

Working from home en masse is certainly unprecedented, but the fact remains that organisations across sectors have been allowing – and often encouraging – remote working for some years now as mobile devices and cloud-based software have taken off. Untethering workforces so that activities like onboarding and portfolio reviews can occur at anytime, anywhere has greatly enhanced both the client and advisor experience at tech-savvy firms. But this also means careful thought should have already gone into maintaining data privacy discipline beyond the confines of the computer terminal at the office and its secured communication lines. Add business continuity and disaster recovery planning into the mix (like an office building burning down) and not having solid policies and practices in place it starts to look even more negligent.

Financial regulators are relaxing certain strictures for the time being (like MiFID’s 10 per cent portfolio depreciation letters). However, the rules concerning the protection of client data may provide little to no cover. 


Key is the obligation to have “appropriate technical and organisational measures” in place to protect personal data being processed (which encompasses collection, recording, storages, transmission, consultation and so on to include handling of virtually any kind). Under Article 32, these security measures must be appropriate to the risk the processing represents to individuals’ rights and freedoms if data were destroyed, lost, altered, disclosed or accessed improperly. And make no mistake, data processing for wealth management purposes can represent extremely high potential for harm if what privacy practitioners call the “CIA Triad” of confidentiality, integrity and accessibility is compromised. 

Under GDPR, Data Protection Impact Assessments must be carried out prior to the commencement of any processing operations representing high risks to data subjects’ rights and freedoms. Yet best practice dictates that these should be iterative rather than “once and done” exercises (likewise data processing records). Today’s dramatic shift in working practices hammers home this point.

 





Source link

Add a Comment