GDPR – Getting Data Protection Right

Data is now the most valuable commodity in the modern economy, making it a target for those who wish to exploit it by any means necessary. Regulators are scrambling to keep up and ensure personal data is not compromised. In May, the EU will implement unprecedented data protection regulations.

Rarely a day passes without a report of a data breach, hack, or cyber threat. Last week, the Securities Exchange Commission announced that hackers had breached its systems, resulting in the intruders making illegal profits leveraging the stolen information. This disclosure follows on the heels of the Equifax data breach, the largest scale loss of personal information to date.

Global regulators are requesting more data from banks and asset managers for regulatory reporting, increasing the volume and detail of data flow, which then increases the risk confidential information will end up in the wrong hands. Asset management is no stranger to personal, sensitive, and valuable data. To comply with regulations and retain trust with investors, cybersecurity must rank highly among the business priorities of asset managers. The implementation of the upcoming General Data Protection Regulation (GDPR) aims to move cybersecurity standards to the next level.

Europe Gets Serious on Data Protection

GDPR represents the EU’s attempt to boost data protection standards across all industries. GDPR replaces the existing patchwork quilt of country-level data protection rules, harmonizing standards and obligations across all EU member states. It applies to the processing of personal data by controllers and processors in the EU even if the processing takes place in another part of the world. Hence, global asset managers, UCITS management companies, and Alternative Investment Fund Managers all fall within the scope of GDPR.

GDPR ushers in an era that acknowledges the volume and value of personal data in the modern digital world. It sets stringent parameters on the use of personal data and substantially increases EU citizen’s rights regarding use of their confidential information.

GDPR in a Nutshell

  • Provides EU citizens with greater consent rights and a “right to be forgotten”
  • States personal data should only be retained when necessary and not kept just in case
  • Mandates appointing of a data protection officer
  • Outlines timeline for reporting data breaches
  • Imposes third-country standards for transfer of data to and from the EU
  • Enforces sanctions and fines for beaches or compliance failures

Asset Manager Specifics

There are two specific areas of sensitivity for asset managers operating under GDPR: Transmission of personal data and the overlap with other regulatory reporting requirements, such as MiFID 2.

The transmission of confidential employee, company, or investor information is fundamental to asset management. The management company, fund, or appointed delegates retain shareholder details as required by regulation. Many of the concepts contained in GDPR on the use and protection of personal data already exist in the industry, however the rules are codified more specifically, obligations increased, and the consequences resulting from breaches are much sterner under the GDPR ruleset. If a data breach does occur, GDPR imposes fines of up to 4% of annual turnover. It also mandates that breaches are communicated within a 72-hour period, emphasizing the need to quickly identify a breach and send efficient notifications.

Asset managers also need to fully understand how MiFID 2’s transaction reporting requirements intersect with GDPR. Personal details of the person executing the trades must be securely transmitted to the regulator, in this case ESMA. This new requirement removes anonymity from trading, but could also create a new type of personal data risk to asset managers complying with the reporting requirements.

Equifax: A GDPR Case Study

Equifax’s breach is estimated to have impacted 143 million customers and there was a six-week gap between issue identification and notification. Had this fallen under GDPR, the penalty for the disclosure delay would be about $70 million. In addition, Equifax’s operating revenue last year was $3.15 billion. Based on GDPR’s 4% maximum, they’d be required to pay $126 million in regulatory fines. These payments are separate from any direct customer actions, not to mention the cost of reputational damage.

Meeting the Deadline

GDPR takes effect on May 25, 2018. Not sure where to begin? Here are the top action items you can start today:

✔️ Take inventory of your data. What personal data is currently retained and by whom?

✔️ Review documents. Check and update the data privacy language of all current prospectuses, fund application forms, and vendor contracts.

✔️ Confirm data-processing rationale. Check that investors have provided consent and all data retained is necessary.

✔️ Appoint a data protection officer. Who is responsible for overseeing all cybersecurity tasks?

✔️ Examine vendors. Discuss GDPR with all service providers in the data chain.

✔️ Assemble protocol. Review and revise communication plans to ensure prompt and thorough notification in case of a breach.

✔️ Catalogue third-country issues. Index all instances of data that is transferred to non-EU countries and ensure those third-countries have compliant data protection standards.