Data and technology issues took up much of the conversation at the GAIM London conference, but one session got stuck into the particulars of the General Data Protection Regulation (GDPR), with speakers unravelling the requirements for investment managers and laying out a ‘to do’ list of responsibilities ahead of the 25 May 2018 implementation date.
Currently, the 28 EU member states are regulated by the EU Data Protection Directive. According to Lupe Sampedro, a partner in the international privacy and data protection practice at Bird & Bird, since its inception in 1995, the EU Data Protection Directive has been transposed into law in the 28 member states in “a quite inconsistent manner”.
There are different data protection obligations, and different rights for citizens, depending on the country in which an investment manager is based. More pressingly, there are drastically varying ways of penalising breaches of these rules, with data protection agencies having different levels of power—some can issue monetary penalties while others cannot.
As a regulation, GDPR will be directly applicable to all EU member states, allowing for a consistent single legal framework of protection data across Europe.
According to Sampedro, while GDPR will harmonise the legal framework, EU member states will still be able to regulate on top of it on certain specific areas.
Therefore, although GDPR will provide more consistency to the data protection legal framework, it will not fully harmonise it. While GDPR is significantly more restrictive than the current rules, it merely raises the bar. For some jurisdictions it will be a huge change. For others it won’t go as far, as their current legislation is quite restrictive already.
Sampedro went on to explain that a major change coming in with the regulation is the penalties for non-compliance. First, the monetary penalties are “higher than under any European data protection law”, up to €20 million, or 4 percent of a firm’s global annual turnover. Needless to say, the threat of financial penalty is driving companies to comply.
However, what could be concerning them more is the suspension of data processing. Under the regulation, data protection agencies will have the power to prohibit companies from processing, a penalty that effectively halts business entirely, producing an outcome that would be “much more disruptive to business than a monetary penalty”, Sampedro said.
Another major change will be around accountability, in that companies must be able to actively demonstrate their compliance with GDPR.
Another speaker, Marc Lotti, partner at ACA Aponix, suggested that regulators are specifically looking for policies and procedures here, “not simply a process that is enforced”. This will include assessing the compliance levels of third-party vendors, and being held accountable for them.
The same levels of data protection requirements must be imposed on any new vendor, and firms must also be able to prove they have completed the appropriate due diligence in choosing said vendor.
“If they have access to, or custody of, sensitive information, you could be at risk,” Lotti warned.
Sampedro added: “It’s not good enough to comply with the law, you need to build data governance, build policies internally, and have paperwork to demonstrate that compliance with GDPR.”
The regulation lays out obligation for a specific data protection officer (DPO) in certain cases, and mandates records of data processing to be maintained—that is, a registry of all the data in the company from employees and customers, explaining what is done with that information, and for what purpose it is used.
Sampedro explained that companies will have to adopt certain data protection by design, and through default measures: “We will need to make sure that privacy is at the core of the way we plan any business use of personal data”.
But there are exceptions to these rules: the obligation for a record of data processing, for example, only applies to firms with more than 250 employees.
James Tedman, managing director of ACA Aponix and moderator of the panel, called this exemption “pretty much irrelevant”. He noted that a record of data is fundamentally a data inventory allowing for better understanding of the data held, with justification for keeping the data, and explanations for where it is, how it’s secured and how it is passed to third parties.
“Just because you’re exempt from producing that report, you’re not exempt from your credentials under GDPR,” Tedman said.
“Frankly, without understanding what data you have and how it’s secured, it’s very difficult to abide by the obligations of the regulation.”
The DPO exemption, however, is linked to the activities of a company, rather than the size, and applies to companies that monitor individuals or process sensitive data on a large scale.
The position of DPO comes with additional compliance requirements, “which can be quite strict”, Sampedro said, suggesting instead that companies that do not meet the threshold to appoint a DPO under the GDPR should to build a data governance structure and “appoint someone to take care of data privacy, but that person does not need to be a DPO under the GDPR”.
The panel was in agreement that those firms not obliged to appoint a DPO should not take their GDPR responsibilities any more lightly. Lotti clarified: “If you don’t appoint a DPO it does not mean you shouldn’t have a data governance programme.”
Tedman added: “The responsibilities that would be taken by the DPO—ensuring that you understand your data protection obligations, ensuring that you have good knowledge of the data within your organisation—are key, and somebody within the organisation needs to take those responsibilities on.”
Finally, Tedman outlined a GDPR “to-do list” for investment managers, instructing attendees to ensure they understand the regulation, their responsibilities and obligations; to build up their personal data inventories; and to undertake risk assessments to review their existing measures and identify any gaps. Unless a firm fully understands its own environment, it is “pretty much impossible to secure it”, he said.
Companies should start to implement the appropriate technical measures, create records of processing, and review their operations, documents and service provider agreements—updating them where necessary. Tedman added that “a number” of vendors in the investment management space “would not pass GDPR inspection today”.
Although there is almost a year until the final GDPR implementation date, Lotti warned that this preparation should be considered “a regulatory priority”, and that it should be robust, as many firms have layers of technology and procedure that could be concealing non-compliant activity. Lotti said: “Once you start peeling back that onion, there can be a lot of surprises.”