General Data Protection Regulation

New UK Data Protection Act launched before GDPR

On the 23rd May 2018, the long-awaited replacement to the United Kingdom’s data protection legislation received Royal Assent and completed its journey through Parliament.  The Data Protection Act 2018 as it is now known, will be formally implemented on the 25th May 2018 – coinciding with the Europe-wide implementation of the General Data Protection Regulation (GDPR).

Are you ready for GDPR?


The General Data Protection Regulation (GDPR) will come into force in May 2018 and will affect all companies doing business in the EU. It is imperative that you and your company are ready for the changes to ensure that you comply with the strict new requirements.

Designed to protect personal and sensitive data, the goal of GDPR is to give all EU citizens complete control of their personal data, by providing a universal approach to data protection for all businesses who hold information about EU citizens (regardless of their place of business). It is the biggest shakeup of data protection in the EU since 1998.

Many businesses will need to make significant changes to their operational habits or face the consequences. Failure to comply with GDPR would be costly mistake, with fines of up to €20 million.

The main themes of GDPR are:

  • Data protection - All companies that collect personal data from EU citizens must ensure that they have reasonable data protection measures in place. This includes a data breach policy (data breaches must be reported immediately) and threat assessment.
  • Data control - EU citizens have the right to access their data and request information about how it is being used, can request to take their data elsewhere and have the right to demand that their data be erased.
  • Data responsibility - Public authorities and those who store or process a large amount of personal data must appoint a Data Protection Officer (DPO).

GDPR Preparation

  1. Examine areas where data protection strategies are necessary for your business.
  2. Employ a Data Protection Officer (DPO) if required.
  3. Conduct a risk assessment of all data coming into your company and create a data protection policy which will govern how you control the use and storage of data.
  4. Employ security measures to ensure you are GDPR compliant.
  5. Regularly review security measures and risks to ensure that you stay compliant.

In the months leading up to GDPR it is imperative that companies examine their current data protection policies and put appropriate data security measures in place before the deadline.

This is where we can help. We have a team of regulatory experts ready to advise you on every aspect of GDPR.

The impact of GDPR on KYC

GDPR (General Data Protection Regulation) comes into effect in May 2018, over 200 pages of EU data privacy regulations which will affect how companies manage, process and delete data.

Under GDPR, banks and other organisations who carry out identity checks and hold sensitive information about customers will have to be completely transparent about what happens to that data after it has been used.

Adequate KYC procedures can be powerful AML and risk management tools but the introduction of GDPR will have further consequences on the way businesses manage their customer data.

Data protection has always been a high priority for the financial sector, but the impact of GDPR will be widely felt. A recent YouGov survey found that only 29% of businesses have begun to prepare for GDPR, with 71% of respondents admitting to being unaware of the fines they might face if found in breach of the new rules.

The two main effects on KYC will be:

Increased security requirements for KYC data

Under GDPR financial institutions will have to be stringent in their control in the storage of data. Many companies are still not careful enough; employees may be inadvertently storing data in the public cloud, inexperienced managers allowing unsecured BYOD’s (Bring Your Own Device) and staff taking work and sensitive data home.

Information security protocols will need to be defined in each area of the business, and upheld within third party organisations, to ensure that the requirements of GDPR are fully met.

Increased use of automation

Data sensitivity has become so much more difficult in the digital age. Where a single photocopied passport might have been easy to keep track of, the amount of digital data and the simplicity with which it can be shared creates a heavy burden on those who hold it. Automating onboarding, monitoring and data enrichment processes will be required to manage the requirements of GDPR. And, while investment in technology developments in the data protection sphere continue to grow, so too does the investment in criminals in finding ways to penetrate it.