Despite the European Union's General Data Protection Regulation representing the biggest change in 25 years to the way businesses process personal information, Irwin Mitchell Private Wealth's recent survey found that just 47% of financial services businesses in the United Kingdom have started preparing for it.

Wealth management businesses collect and use large amounts of private individual 'profile data' in order to understand their customers and provide the best and most suitable products and services to meet their needs. As a starting point, it will be necessary for them to find out what data they have and whether the relevant data subjects have given them proper permission to allow them to do what they need to do.

Information security is also a crucial point. Although financial data is not classified legally as "sensitive personal data," the bank in question must handle it carefully because the Information Commissioner's Office (ICO) views any transgression involving financial data as a serious one.

One of the big changes that the GDPR will bring in is the need to notify that regulator about certain "data breaches." At the same time, a massive increase in fines is going to take place, with the ceiling rising from £500,000 to €20 million or 4% of global turnover (whichever is the larger). Every organisation should undertake a root-and-branch review of its data governance practices to avoid the ICO's gaze. 

There is also, however, a positive side to the legislation. If banks and wealth management businesses embrace it, they might inspire trust and confidence in their customers and give themselves a competitive advantage in that manner. It is crucial for customers to remain confident about their data being handled well in a data-heavy business of this nature.

How should private banks and wealth management businesses prepare?

GDPR compliance might seem an overwhelming task but if a financial institution starts early and approaches it in a methodical manner, it is achievable. 

The first stage is for it to know what data it holds, how it is using it and what legal grounds permit its use. A data audit is very desirable; if an organisation is ignorant of the data it has, it cannot make itself compliant.

I would also suggest a data clean-up, which involves looking at the data, finding out whether it is out of date or no longer used, and then considering whether to keep it. There is no point in spending time and money making outdated data compliant. At any event, the GDPR requires firms to think about the data they retain. The basic rule is that if it is no longer necessary for them to retain this-or-that data, they should delete it. 

Another important job for each firm is to look at the ways in which customers can know how it (or its proxies) is using their data, then to set up a process to deal with so-called "data breaches" and to prepare for the so-called "enhanced rights" that their customers are about to receive. Individuals will have the right to receive more of their personal data after submitting "subject access requests" and they are also to be given additional statutory rights such as the famous "right to be forgotten" and the "right of data portability." Businesses in the sector ought to prepare for the advent of these rights, not least by working out how they are going to deal with requests that require no action. For example, the right to be forgotten is a narrower right than media headlines might suggest, which could lead the public to believe that they can order firms to erase data in situations where they cannot.  Private banks and wealth management businesses need to distinguish between the requests they have to deal with and the rest. They must also work out how to avoid deleting information that they are allowed to retain; one day they may need it.

In a nutshell, wealth management firms should regard the GDPR compliance process as a marathon and not a sprint.