GDPR – One year on, what do wealth managers still need to consider?

It has been over a year since the General Data Protection Regulation (GDPR) came into force throughout the European Union, and with Switzerland expected to follow suit in 2020, Private Banks and Wealth Managers must ensure they are fully compliant. Orbium’s compliance expert Adam D. Wisniewski provides a recap on the important piece of regulation.

GDPR is Europe’s landmark legislation for personal data protection and the first cross border attempt to coordinate data privacy laws across Europe. The legislation also provides “digital rights” to European citizens and businesses. With such a seismic change, Private Banks and Wealth Managers now have to consider the legality of person data and the manner with which it is handled.

These changes in Europe will be reflected with an update to the Federal Act on Data Protection (FADP) in Switzerland expected later next year.

GDPR impact and structure

In times when business models across many industries are increasingly reliant on collecting and processing data – and customer data in particular – a regulation like the GDPR has fundamental implications for data ownership, transparency, responsibility and accountability:

• The GDPR confirms that data belongs to the customer along with all corresponding rights. For example, the right to erasure, to amend or to receive data or to transfer it to another entity.
• Any company collecting or processing customer data – the data controller or the processor – has to be fully transparent regarding those activities and must seek the consent of the customer for their data-related operations and clearly explain their purpose.
• Companies have to understand the potential risks, ensure supervision, set up processes for reporting to customers and authorities and identify a controller – the Data Protection Officer (DPO) – for all activities that affect customer data.
• Any breach of these rules may result in severe penalties.

While all the articles of the GDPR have to be addressed in order to be compliant, smart strategic decisions early in the process of implementing the GDPR/FADP will ensure the right prioritisation and help in identifying the appropriate bank-specific implementation options.

The following strategic objectives should be considered in order to lay the foundation for optimal implementation:

• Understanding and mitigation of the risks related to each of the GDPR articles
• Involvement, education and buy-in of all relevant parties
• Robust technical execution – facilitating further developments in data management
• A focus on best possible customer service
• Ideally, integration into a comprehensive organisation-wide data strategy

Supporting clients with a strategic approach to GDPR

Working in partnership with core banking experts Avaloq, we have jointly developed a modular approach to help Private Banks and Wealth Managers address GDPR in general and prepare for the Avaloq GDPR solution release. You can read the full article here.