At the latest MLROs.com conference in London, hosted by David Pelled (pictured), delegates examined the European Union's General Data Protection Regulation and what it meant for compliance people at financial firms. Not enough firms have begun to comply.

Many thought it likely that compliance with the regulation was going to fall between many stools: legal departments, IT departments, compliance offices, treasuries and operational risk departments. One person thought that it was a good idea for a firm to have a dedicated privacy management committee to hook all these disparate divisions together.

Teething troubles

One delegate thought that the biggest single problem that any firm faced when trying to piece together a GDPR compliance effort was to find out where it kept its data. He added: "Almost half [the personal data] in the average firm is secreted away in some legacy archive that can't be accessed. Anonymisation is a good way of taking yourself outside the ambit of the regs, if you can do that one, but you'll have to require contracts. This is, after all, the greatest single shake-up of any data in Europe."

On 24 May next year the GDPR - with its 11 chapters and 99 articles - will apply directly to the processing of personal information that is linked in some way to the European Union's territory or markets. The conference heard, however, that two-thirds of the UK's chief information officers have not yet begun to implement a single thing. One major reason, a delegate said, is that it is difficult to force a particular body in an organisation to 'take ownership' of it. It is also difficult to persuade the boards of companies to 'buy into' it. One delegate conjectured that the organisations that are most capable of observing it - those in financial services - are overwhelmed by other initiatives such as the Senior Managers' Regime in the UK, the Markets in Financial Instruments Directive and, coming round the corner, the ring-fencing law that forces the largest banks to split their services between retail and the rest.

A changed world

Conference-goers spoke often about the way in which the world has changed since the directive of 1995 which is enshrined in the UK in the Data Protection Act 1998. Technology has changed and so have people's attitudes towards their data and its value. Organisations are having to treat this data with increasing reverence. It is of some cold comfort to note that the legal phrase 'personal data' never refers to data about the deceased.

One upshot of the new regulation is that financial firms will have to report data if they send it to countries that have not been listed as 'adequate' by the European Union. The most important change it will bring about, however, is 'accountability' for both structured and unstructured personal data handling.

The existing data protection directive does not touch processes, but the upcoming regulation does. Indeed, it requires data controllers to note down the ways in which they pick their processes.

Keeping an eye on the cookies

Article 3 of the regulation is extremely verbose and says that the regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place there or not. It applies to the processing of personal data by a controller not established in the EU but where "member state law" applies by virtue of public international law. It also covers the processing of data about people who are in the EU by a controller or processor outside the EU, as long as the processing activities are related to the offering of goods or services to people in the EU or "the monitoring of their behaviour as far as their behaviour takes place within the [European] Union."

This last sentence, one observer said, boils down to the use of 'cookies.'

Articles 4 and 5 - the best place to start

Another delegate said that the best place to start for any compliance officer who wanted to get to grips with his firm's obligations was article 4, which contained the regulation's glossary of terms.

Delegates heard that the best place for a compliance officer who wants to implement his GDPR design to start is at article 5, which contains six core principles that are not too different from the existing ones. Whenever one is stuck, this is the place to go.

Appointing a DPO

Conference-goers exchanged some conflicting views about data protection officers. Article 37 of the GDPR calls for such a "data protection superhero" at every relevant firm but some firms are not required to have one. One view was that even these firms ought to have one. Firms were warned, however, that any firm that volunteered to have a DPO could not then allow him to tread a laxer path than a DPO at a firm that had to have one. One person thought that it was illegal to say "well, we only appointed a DPO voluntarily and we aren't obliged to make him apply all the regulations."

Damages and penalties

Article 82 of the EU regulation allows any person who suffers "material and non-material damage" to pursue compensation from the controller or processor. One delegate observed: "It doesn't have to be an Armageddon-like case such as the Equifax data leak of recent days. Mrs Miggins receiving repeat marketing material is suffering non-material (and perhaps material, if it is causing her distress) damage and can sue."

Everyone knows about the maximum penalties available for the authorities to impose in accordance with the regulation: €20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater. Fewer people realise that there is a smaller maximum level of penalty for some infractions, namely €10m or 2% of global annual turnover, whichever is the greater. As with the settlement of criminal sentences, the authorities are likely to take the nature, gravity and duration of each breach into account. The Information Commissioner's Office, according to one observer, will mainly want to target firms that have turned a blind eye to their responsibilities.