Business management consultant says while financial service industry is ahead of most, some companies are still way behind where they should be when it comes to GDPR

The GDPR deadline is next month, and while a lot of companies feel they are prepared, a lot of companies are still far behind.

That is according to business management company, Fifth Step’s chief executive, Darren Wray.

“Whilst Financial Services are probably ahead of much of the general market,” he said. “There are still some who have only got their budgets cleared or approved in January.”


The regulations come into force 25 May 2018, and Wray said some companies, particularly smaller companies, have a lot of work to do to be sure they are ready in time.

“Some of the mid-tier companies are still further behind than, certainly they would want to be.

“They assumed they were going to be better, or more prepared than they thought they were when they got into the weeds of it.”

So, what line of insurance is ahead, or lagging?

“I think most of the personal lines are perhaps further ahead, or not as far behind.I don’t think they are quite as far behind, because I think they recognised early on, ‘okay, this is definitely going to affect us, we’ve got lots of personal data’.

“Some of the business lines companies, though, didn’t recognise how much personal data they actually have and some of that’s wrapped up, some of its hidden.”

Hidden information

Wray described how companies may have forgotten about certain departments 

“Things like HR Departments are heavily impacted by GDPR, because they all have to maintain the privacy of that information, and one of the aspects that people outside of HR don’t realise is that opinions are also our personal data.”

Another way insurers might get information from people could be hidden from sight, Wray said.

“If we have a tick box on a form that says, ‘send me in large print,’ a large print policy, does that mean that we now have medical information? You can infer that that person has sight issues.”

Companies will need to dig deep and look at all their processes to make sure they are doing everything they can to know every bit of personal data they hold.

GDPR the new PPI?

Two firms, DAC Beachcroft and Auger, have warned that GDPR could result in a new wave of complaints and lawsuits similar to that of PPI.

Wray says some companies will have already prepared for such an occurrence.

“Organisations that process personal data, may have misprocessed it or may have had breaches that haven’t come to public light. So there are organisations who are revving up to do that.”

He said companies will look to take advantage of GDPR claims as the deadline for PPI claims (October 2019) approaches.

“They (CMCs) are going to be looking to ramp up on something as that ramps down. So yes, the claims management companies are going to be there, and insurers, banks, large processors of personal information seem to have deep pockets.

”They’re going to be rife for people coming and asking at the very least for subject access requests. So, requesting to see their personal data, that alone is going to create a burden on the industry.”

Will the industry see a rise in claims relating to misuse of information under GDPR?

Wray says that if it happened with PPI, why not GDPR?

“If those practices have been taking place for PPI, the same kind of organisations that are going to leap onto this.”

But if an individual complains, they are unlikely to gain any compensation.

GDPR is not going to be the sort of thing an individual can benefit from, Wray claims. He says other than complain to the Information Commissioners Office (ICO), an individual cannot do much in terms of claims.

“The company will get fined, but the data subject who has been wronged is unlikely to get any money out of that process because the fines themselves are levied by ICO on the organisations themselves.”