It’s now been over 18 months since the May 2018 roll out of the General Data Protection Regulation (GDPR). This update to Data Protection laws across the EU triggered significant process changes for organisations that store personal data, with many months’ preparation needed beforehand.
As a year and a half has passed, we thought it would be timely to look at how far reaching the impact was and what it means for Data Protection going forward.
We have spoken to a Data Protection Officer (DPO) and a Data Protection training provider, as well as provided our own view on the recruitment market, in order to understand how GDPR has changed how a business now operates.
Sue Taylor, Group Data Protection Officer, Provident Financial
Sue has worked in the finance industry for over 30 years in a variety of Risk and Compliance roles. She has previously chaired the British Bankers Association (BBA) Panel on Data Privacy for over four years and co-authored a BBA Publication on ‘Keeping Customer Information Safe’.
Many of the operational activities mandated in GPDR are now common ‘business as usual’ processes. All staff undertake annual training and testing so there is a general awareness of data privacy principles across the company. For those parts of the business handling Information Rights, we have seen an increase in staff into the dedicated teams due to a significant increase in requests received. As we have embedded the process of managing these into the privacy software, we have maintained efficiencies and therefore whilst there has been an increase in resource in the Rights Requests team, other areas have absorbed the work.
Headcount in the Rights Requests teams in operational areas have increased by approximately 400%. In one team, they have increased from two staff to ten staff. However, it should be noted that this may not be solely due to GDPR – as a financial institution we are experiencing an increase in complaints via Claims Management companies who use (the now free) right-of-access to gather information to assess if this will assist their claim.
When the final version of GDPR was approved it soon became clear that the requirements on the DPO and the business to comply with GDPR would need a more formal management framework tool rather than relying on spreadsheets and databases. So I think that the most significant change for my business was the investment in bespoke data privacy management software.
Beverley McGowan, Managing Director, The Specialists Hub
Beverley has worked in many Data Protection and Risk Management roles for large Financial Services organisations, and now is the MD for The Specialists Hub – an approved training provider for the International Association of Privacy Professionals that provides awareness, accredited training and consultancy.
The demand for specialists in Data Protection, Information Security and Programme Management was exceptionally high leading up to GDPR coming into force in May 2018. Businesses had to deal with years of a lack of governance over data and trying to identify the flow of data across their business, technology and supply chain and put in place the necessary documentation, processes and controls.
The focus since has shifted to one of assurance activity and to review what was put in place to ensure that it still meets requirements. There has also been a demand for outsourced DPO services, particularly for SME's where there isn't an appetite or budget for hiring full time DPO's. There are still many small and medium sized businesses who are very immature in their understanding and implementation of the requirements and we are working with a number of these SMEs to support them with their staff awareness and implementation activities.
Kirstie Burn, Director – Compliance, MERJE
Kirstie is the Director of the Compliance team in the MERJE London office. She has 19 years’ experience in recruitment, ten of which within Compliance and Risk Management.
GDPR remains a focus of attention and resource for our Clients. It is now key that the DPO maintains a sustainable cultural shift in business practices and operating systems to ensure there is no risk of any breach in Data Protection. Operational efficiencies also tie into this line of focus to make sure all Data Management and Customer Contact is dealt with correctly.
We have seen more Heads of Compliance taking on the responsibility for GDPR within their remit since 2018 and clearly making an individual accountable for activities within this space, which before was perhaps not as definitive in where it sat within a firm.
Currently, firms need to be looking at how successfully the processes are now embedding under GDPR into the firm, identify where there are any gaps and enabling a programme of continuous monitoring to assess and advise of any remediation activity and training where required. This is to ensure no relaxation of standards seeps into the operating model. The quality-driven methods in which a customer, and their data, is being dealt with will be a key attribute to customer success and overall experience moving forward.
Overall, there has been a big increase in Data Protection-awareness and firms are now taking it far more seriously than they were previously. This is because of a lot of procedural changes and training for staff across most businesses now makes Data Protection a strong focus. There was an initial influx of staff to support skills gaps in this area, and there continues to be extra resource being recruited within most firms to sustain the operational and regulatory expectations required.
To discuss your Data Protection recruitment needs, or your own career options, please contact Kirstie Burn (London and the South East) on 0203 637 1603 or kburn@merje.com, or Paul Sherlock (Rest of UK) on 0161 883 2746 or psherlock@merje.com.