The General Data Protection Regulation (GDPR) may be a European Union initiative, but it won’t just affect EU-based data controllers and processors.
Instead, the regulation, which comes into force on May 25, will apply to all firms that hold or service the personal data of EU individuals (whether or not they are a citizen) – which means many non-EU investment managers could find themselves caught in the regulation’s net.
The GDPR aims to give EU “data subjects” more control over how their personal data is used and stored. The result is much stricter rules on how organizations access and share that data.
A non-EU fund or wealth manager may fall under the regulation if it:
Furthermore, the definition of personal data has been extended. Under GDPR, personal data covers identifiers such as IP addresses, cookies and RFID tags, in addition to Personally Identifiable Information (PII). It is not just investor or client data that investment managers must consider either, but the personal data of employees.
And the penalties for non-compliance are steep: depending on the type and seriousness of any offense, fines can be up to €20 million or 4% of a company’s annual global turnover, whichever is higher.
Plus there is the significant damage a firm's reputation could suffer if it is seen to be lax with its clients’ personal details.
So what changes does the GDPR bring? The main requirements are:
Investment firms must ask for and freely receive unambiguous consent to process data subjects’ information.
Individuals have the right to know if a firm holds their personal data, and what information it has.
Individuals have the right to demand firms permanently erase their data.
Individuals also have the right to copy and transfer their personal data, so it can be used by other service providers.
All the GDPR’s privacy principles must be built into products, projects, processes and systems from the outset, not as afterthoughts.
Investment firms that use extensive data monitoring or profiling must appoint a DPO.
Data “processors” (i.e. service providers, such as fund administrators) are now subject to the regime, in addition to data “controllers” (the investment funds and management companies that determine how and why personal data is processed).
Investment firms must inform their national data protection authority of any data breach no later than 72 hours after discovering it. Data subjects must also be notified “without undue delay” when a breach poses a high risk to their rights and freedoms.
Organizations must show howthey comply with the rules, requiring them to document their data processing activities.
The first step for non-EU investment managers is to determine if you are in fact subject to the rules by examining what activities you carry out in the EU, or that relate to data subjects in the EU. This includes any business process outsourcing to an EU-located third party that uses the firm’s personal data.
Where GDPR does apply, firms must then conduct a data due diligence review, and adapt their policies, processes and systems in response to ensure they can comply.
According to law firm Proskauer Rose, this will include:
- Reviewing and updating data protection policies and/or notices (for example, firms will need to clearly outline to clients and prospects what data they are collecting and why).
- Reviewing and updating agreements regarding data transfers, including international transfers.
- Reviewing and updating service provider agreements and employment documentation.
- Reviewing and updating fund documentation (e.g. fund subscription agreements) where required.
- Reviewing information security policies.
- Reviewing data retention and erasure practices and policies.
- Ensuring processes are in place for handling data breaches.
- Training staff on data protection practices.
- Determining whether an EU representative and/or DPO needs to be appointed.
- Asset and wealth managers will also have to ensure their systems can track and limit who sees a client’s data, and allow data to be ported and deleted.
The good news for non-EU companies, as answered by NQA, a provider of environmental simulation testing, inspection and certification services in the United States, is that if they already comply with some existing data protection standards there may be less work to do in meeting GDPR requirements.
For example, some overlaps exist with the US’s ISO 27001 and National Institute of Standards and Technology (NIST) framework. The Privacy Shield program, created by the US, EU and Switzerland, also provides partial GDPR compliance – particularly around transferring data cross border.
But there will be gaps. So make sure you don’t leave it too late to bridge them.