Digital Assets Report


Like this article?

Sign up to our free newsletter

The implications of data protection regulation under Brexit

Related Topics

The impending introduction of General Data Protection Regulation ('GDPR') in 2018 is going to affect all organisations in terms of how they protect data. Marcus Lewis (pictured), Director, Technical Sales at Capital Support, a leading managed IT services provider, believes that within the funds industry, irrespective of whether it is UK law, EU Law or US law, "managers will comply, but of more concern to them is how they can demonstrate to their investors that their data is secure.

"Our view is that the UK will have to subscribe to EU guidelines, because when organisations are doing business inside and outside the UK, the data protection standards will need to remain the same. The changes that are coming in under GDPR are in line with changes in technology, changes in the way people work, and changes in the way data is stored," says Lewis.

Lewis believes that UK fund managers should treat data protection in a similar way to cybersecurity guidelines that the SEC have issued to US fund managers. The FCA have yet to produce their own guidelines, so as best practice UK fund managers should broadly adhere to the SEC's guidelines. 

"The same logic applies to data protection under GDPR. Work towards adhering to those guidelines, and wait and see what the UK does. We haven't left the EU yet and the shortest possible exit will take two years, by which time the EU rules on GDPR will already be out," says Lewis.

One point that UK fund managers should be mindful of is that the penalties for failing to protect data under GDPR will be more severe than under the UK Data Protection Act. Under the latter regime, companies only face a maximum GBP500K fine. Under GDPR, it is possible that the EU could impose a penalty equivalent to 4 per cent of an organisation's global revenue.

"The reputation of a fund manager would be seriously impacted. Firstly, would they be able to pay the penalty? And secondly, would they survive the reputational hit to the business? With these events, often it is less about the data breach itself and more about the fact that it happened in the first place," comments Lewis.

Managers should think about how to spend what IT budget they have available more intelligently. 

"What is preferable: good security or a slightly faster laptop? From a productivity perspective it might be better to have the laptop, but from a business perspective it's better to protect the reputation of the firm by allocating some capital on training and awareness. It's about thinking how you do business, and how the people and processes are aligned to keep the business secure," advises Lewis.

He adds that when Capital Support works with start-up managers, the route to becoming cyber secure – and protecting the firm's sensitive assets – always starts with the basics. This involves setting the right tone from senior management, putting initial rules and processes in place, segregating data, and making sure that everyone is aware of security risks. 

"We offer a security risk management service, whereby we walk the client through the potential risks and pitfalls they might face. What we don't do is dictate what they should do. We simply highlight the risks and empower them to make decisions that are most important to their business at that point," concludes Lewis.

Like this article? Sign up to our free newsletter

Most Popular

Further Reading