With only 30 days until implementation, more than 50 percent of investment firms globally are unlikely to be ready for the European Union’s new General Data Protection Regulation (GDPR), according to a Cordium and AmberGate survey.
Designed to benchmark investment management firms’ readiness for GDPR, the survey revealed a lack of preparedness in advance of the regulation implementation date.
Only 2 percent of surveyed firms had finished putting GDPR policies and procedures in place, while 59 percent of firms said they were unprepared to comply with the required 72-hour window to report a personal breach to regulators.
A further 64 percent said they were unprepared to respond to an exercise of data subject rights.
The EU’s GDPR comes into effect on 25 May and introduces a set of data privacy and security requirements on firms, with potential global reach.
Michael Corcione, managing director, cybersecurity and data protection consulting services at Cordium, said: “Companies that have not yet started their GDPR programme—or those still at the early stages—expose themselves to significant compliance and reputational risk.”
He added: “Lack of readiness is due to a failure by firms to understand their exposure to the regulation, as well as the second Markets in Financial Instruments Directive’s (MiFID II) earlier deadline, leaving GDPR to fall down the priority list. With just a four-week window firms should be practicing these procedures, not defining them.”
Robert Baugh, founder and CEO at AmberGate, said: “The lack of GDPR preparedness in the industry is concerning, particularly given the risk of regulatory action and the potential impact to a firm’s reputation.”
He added: “Many firms will now need to divert significant resource and time to the project—there is clearly still much to do across most organisations. Firms will face growing pressure from an internal governance perspective, from investors, and from regulators likely to take an increasingly firm stance on the issue.”
