The GDPR to-do list

The EU’s General Data Protection Regulation is now less than a year away, and affected firms still have much to do, heard attendees at GAIM London

Data and technology issues took up much of the conversation at the GAIM London conference, but one session got stuck into the particulars of the General Data Protection Regulation (GDPR), with speakers unravelling the requirements for investment managers and laying out a ‘to do’ list of responsibilities ahead of the 25 May 2018 implementation date.

Currently, the 28 EU member states are regulated by the EU Data Protection Directive. According to Lupe Sampedro, a partner in the international privacy and data protection practice at Bird & Bird, since its inception in 1995, the EU Data Protection Directive has been transposed into law in the 28 member states in “a quite inconsistent manner”.

There are different data protection obligations, and different rights for citizens, depending on the country in which an investment manager is based. More pressingly, there are drastically varying ways of penalising breaches of these rules, with data protection agencies having different levels of power—some can issue monetary penalties while others cannot.

As a regulation, GDPR will be directly applicable to all EU member states, allowing for a consistent single legal framework of protection data across Europe.

According to Sampedro, while GDPR will harmonise the legal framework, EU member states will still be able to regulate on top of it on certain specific areas.

Therefore, although GDPR will provide more consistency to the data protection legal framework, it will not fully harmonise it. While GDPR is significantly more restrictive than the current rules, it merely raises the bar. For some jurisdictions it will be a huge change. For others it won’t go as far, as their current legislation is quite restrictive already.

Sampedro went on to explain that a major change coming in with the regulation is the penalties for non-compliance. First, the monetary penalties are “higher than under any European data protection law”, up to €20 million, or 4 percent of a firm’s global annual turnover. Needless to say, the threat of financial penalty is driving companies to comply.

However, what could be concerning them more is the suspension of data processing. Under the regulation, data protection agencies will have the power to prohibit companies from processing, a penalty that effectively halts business entirely, producing an outcome that would be “much more disruptive to business than a monetary penalty”, Sampedro said.

Another major change will be around accountability, in that companies must be able to actively demonstrate their compliance with GDPR.

Another speaker, Marc Lotti, partner at ACA Aponix, suggested that regulators are specifically looking for policies and procedures here, “not simply a process that is enforced”. This will include assessing the compliance levels of third-party vendors, and being held accountable for them.

The same levels of data protection requirements must be imposed on any new vendor, and firms must also be able to prove they have completed the appropriate due diligence in choosing said vendor.

“If they have access to, or custody of, sensitive information, you could be at risk,” Lotti warned.

Sampedro added: “It’s not good enough to comply with the law, you need to build data governance, build policies internally, and have paperwork to demonstrate that compliance with GDPR.”

The regulation lays out obligation for a specific data protection officer (DPO) in certain cases, and mandates records of data processing to be maintained—that is, a registry of all the data in the company from employees and customers, explaining what is done with that information, and for what purpose it is used.

Sampedro explained that companies will have to adopt certain data protection by design, and through default measures: “We will need to make sure that privacy is at the core of the way we plan any business use of personal data”.

But there are exceptions to these rules: the obligation for a record of data processing, for example, only applies to firms with more than 250 employees.

James Tedman, managing director of ACA Aponix and moderator of the panel, called this exemption “pretty much irrelevant”. He noted that a record of data is fundamentally a data inventory allowing for better understanding of the data held, with justification for keeping the data, and explanations for where it is, how it’s secured and how it is passed to third parties.

“Just because you’re exempt from producing that report, you’re not exempt from your credentials under GDPR,” Tedman said.

“Frankly, without understanding what data you have and how it’s secured, it’s very difficult to abide by the obligations of the regulation.”

The DPO exemption, however, is linked to the activities of a company, rather than the size, and applies to companies that monitor individuals or process sensitive data on a large scale.

The position of DPO comes with additional compliance requirements, “which can be quite strict”, Sampedro said, suggesting instead that companies that do not meet the threshold to appoint a DPO under the GDPR should to build a data governance structure and “appoint someone to take care of data privacy, but that person does not need to be a DPO under the GDPR”.

The panel was in agreement that those firms not obliged to appoint a DPO should not take their GDPR responsibilities any more lightly. Lotti clarified: “If you don’t appoint a DPO it does not mean you shouldn’t have a data governance programme.”

Tedman added: “The responsibilities that would be taken by the DPO—ensuring that you understand your data protection obligations, ensuring that you have good knowledge of the data within your organisation—are key, and somebody within the organisation needs to take those responsibilities on.”

Finally, Tedman outlined a GDPR “to-do list” for investment managers, instructing attendees to ensure they understand the regulation, their responsibilities and obligations; to build up their personal data inventories; and to undertake risk assessments to review their existing measures and identify any gaps. Unless a firm fully understands its own environment, it is “pretty much impossible to secure it”, he said.

Companies should start to implement the appropriate technical measures, create records of processing, and review their operations, documents and service provider agreements—updating them where necessary. Tedman added that “a number” of vendors in the investment management space “would not pass GDPR inspection today”.

Although there is almost a year until the final GDPR implementation date, Lotti warned that this preparation should be considered “a regulatory priority”, and that it should be robust, as many firms have layers of technology and procedure that could be concealing non-compliant activity. Lotti said: “Once you start peeling back that onion, there can be a lot of surprises.”

The latest features from Asset Servicing Times
With the ratification of the final regulatory technical standards of SFTR imminent, market participants should begin to assess where to apply internal resource, and where to take advantage of existing processes. Pirum’s Duncan Carpenter outlines the scope, and potential impact of SFTR on the securities lending industry both within, and external to the EU
As technology developments shape the world around them, financial services firms are starting to adapt. This year’s Sibos conference outlined where the industry is settling in, and where there are still milestones to pass
Join Our Newsletter

Sign up today and never
miss the latest news or an issue again

Subscribe now
Rocky Martinez considers how AI can help improve post-trade processes, and how SmartStream’s new reconciliations solution is moving a step in the right direction towards helping firms keep costs at sustainable levels
New regulations, new competition and new cost pressures mean custodians and sub-custodians have more balls in the air than ever before
Mark Aldous, head of managed services for Delta Capita, discusses product governance and the need for more cooperation between manufacturers and distributors before the 3 January 2018
The past decade has seen significant change in securities services, but some challenges lead to lessons learnt, says Deutsche Bank’s Satvinder Singh
Artificial intelligence is already a reality in daily life, and it has a place in financial services, says Matt Davey of Societe Generale Securities Services
As technology has advanced, so too has the threat of cyberattack, and if financial services firms put a foot wrong, they stand to lose more than money
View features section
Country profiles
The latest country profiles from Asset Servicing Times
The Asian market may be improving on the harmonisation front, but the situation is still far from ideal. Experts discuss what there is still left to do
Brazil is hogging the limelight from its South American neighbours. But, although reforms are in full swing, there is still work to be done
Securities Lending Times

Visit our sister site
for all the latest securities lending news and analysis
No nation is an island, and the Polish CSD has post-trade services to cater to all of Central and Eastern Europe, says KDPW’s Iwona Sroka
In a region as geographically, culturally and economically diverse as Asia, funds passports have a tricky road ahead if they’re to redefine the industry
Amid cross-border restrictions and tightened belts, Luxembourg’s kingdom of real estate investment won’t be crumbling any time soon
The Chinese market has taken a knock to its confidence, but despite its size, it is still merely an emerging market, and must take these setbacks in its stride
Rich in sunshine, cork hats and tired clichés, Australia’s funds industry doesn’t buck the trend, boasting record levels of assets under custody
As the Saudi Arabian stock exchange finally opens its doors to foreign investments, the influx from abroad will be in baby steps, not leaps and bounds
View country profiles section
The latest interviews from Asset Servicing Times
The UK’s pensions industry is facing challenges from all angles, but KAS Bank’s cost transparency dashboard is here to lend a helping hand, says Pat Sharman
Real Estate Investment Times

Visit our sister site
for all the latest real estate investment news
View interviews section