The EU’s General Data Protection Regulation came into force two-and-a-half years ago, yet wealth managers’ travails with this incredibly wide-reaching, complex piece of legislation - and those emulating it internationally - are far from over. New research examines what the pressures are and why the industry must handle them.

The implications for wealth managers of the Schrems II ruling also reach far beyond just transatlantic transfers. Our research found that most firms rely on Standard Contractual Clauses for both intra-group and third-party transfers, and so the EUCJ’s imposition of “supplementary measures” on SCCs and the whole suite of safeguarding mechanisms is arguably an even more dramatic move as it impacts all jurisdictions bar the 12 the EU currently deems “adequate” in data protection. 

That this tiny green list includes the Faroe Islands and Andorra, but not post-Brexit Britain nor any number of other developed countries, underscores how tricky transferring data outside the European Economic Area compliantly will continue to be – particularly as adequacy decisions are also subject to sudden revision.  

External expertise unavoidable?
Alongside updated SCCs, wealth managers must now grapple with the European Data Protection Board’s recently issued recommendations on the supplementary measures, which make clear how much work organisations now have to do in evaluating foreign legal regimes on an ongoing basis. And here, we might say, lies one of the greatest rubs when it comes to the costs and pains of data protection compliance.

Although wealth managers may have their own in-house counsel, almost half (46 per cent) of those participating in this study said they have to source regulatory guidance from external law firms and a fifth turn to consultancies. That 27 per cent said they were able to get support by phone or email suggests many are retaining such services at a cost of (we were told) multiple thousands per day. However, the majority (40 per cent) of data protection overseers appear to be gathering what insight they can from memos and the like issued by external parties. As one respondent noted, keeping their organisation on top of all this by scouring newsletters and so on “could be a full-time job”.

Digital dissemination
In likely recognition of the enormity of their task, it can happily be said that a third of data protection specialists have updates delivered to them and disseminated across their organisation entirely digitally (such as through an app). Interestingly, while 25 per cent have gone for the easier win of implementing an external solution, 38 per cent have developed one internally. That they have done so at a time of already great technology change for the sector shows just how seriously they are taking the threat of fines which could amount to 4 per cent of annual global turnover for breaching the rules.  

However, the biggest indicator is, of course, rapidly expanding data protection teams. As part two of this research special will show, many wealth managers are set on significantly expanding their teams. 

The European data protection study Apiax carried out with WealthBriefing follows a similar one undertaken among Asia-Pacific institutions earlier in the year. To view the full findings of both, click here.