The GDPR to-do list

The EU’s General Data Protection Regulation is now less than a year away, and affected firms still have much to do, heard attendees at GAIM London

Data and technology issues took up much of the conversation at the GAIM London conference, but one session got stuck into the particulars of the General Data Protection Regulation (GDPR), with speakers unravelling the requirements for investment managers and laying out a ‘to do’ list of responsibilities ahead of the 25 May 2018 implementation date.

Currently, the 28 EU member states are regulated by the EU Data Protection Directive. According to Lupe Sampedro, a partner in the international privacy and data protection practice at Bird & Bird, since its inception in 1995, the EU Data Protection Directive has been transposed into law in the 28 member states in “a quite inconsistent manner”.

There are different data protection obligations, and different rights for citizens, depending on the country in which an investment manager is based. More pressingly, there are drastically varying ways of penalising breaches of these rules, with data protection agencies having different levels of power—some can issue monetary penalties while others cannot.

As a regulation, GDPR will be directly applicable to all EU member states, allowing for a consistent single legal framework of protection data across Europe.

According to Sampedro, while GDPR will harmonise the legal framework, EU member states will still be able to regulate on top of it on certain specific areas.

Therefore, although GDPR will provide more consistency to the data protection legal framework, it will not fully harmonise it. While GDPR is significantly more restrictive than the current rules, it merely raises the bar. For some jurisdictions it will be a huge change. For others it won’t go as far, as their current legislation is quite restrictive already.

Sampedro went on to explain that a major change coming in with the regulation is the penalties for non-compliance. First, the monetary penalties are “higher than under any European data protection law”, up to €20 million, or 4 percent of a firm’s global annual turnover. Needless to say, the threat of financial penalty is driving companies to comply.

However, what could be concerning them more is the suspension of data processing. Under the regulation, data protection agencies will have the power to prohibit companies from processing, a penalty that effectively halts business entirely, producing an outcome that would be “much more disruptive to business than a monetary penalty”, Sampedro said.

Another major change will be around accountability, in that companies must be able to actively demonstrate their compliance with GDPR.

Another speaker, Marc Lotti, partner at ACA Aponix, suggested that regulators are specifically looking for policies and procedures here, “not simply a process that is enforced”. This will include assessing the compliance levels of third-party vendors, and being held accountable for them.

The same levels of data protection requirements must be imposed on any new vendor, and firms must also be able to prove they have completed the appropriate due diligence in choosing said vendor.

“If they have access to, or custody of, sensitive information, you could be at risk,” Lotti warned.

Sampedro added: “It’s not good enough to comply with the law, you need to build data governance, build policies internally, and have paperwork to demonstrate that compliance with GDPR.”

The regulation lays out obligation for a specific data protection officer (DPO) in certain cases, and mandates records of data processing to be maintained—that is, a registry of all the data in the company from employees and customers, explaining what is done with that information, and for what purpose it is used.

Sampedro explained that companies will have to adopt certain data protection by design, and through default measures: “We will need to make sure that privacy is at the core of the way we plan any business use of personal data”.

But there are exceptions to these rules: the obligation for a record of data processing, for example, only applies to firms with more than 250 employees.

James Tedman, managing director of ACA Aponix and moderator of the panel, called this exemption “pretty much irrelevant”. He noted that a record of data is fundamentally a data inventory allowing for better understanding of the data held, with justification for keeping the data, and explanations for where it is, how it’s secured and how it is passed to third parties.

“Just because you’re exempt from producing that report, you’re not exempt from your credentials under GDPR,” Tedman said.

“Frankly, without understanding what data you have and how it’s secured, it’s very difficult to abide by the obligations of the regulation.”

The DPO exemption, however, is linked to the activities of a company, rather than the size, and applies to companies that monitor individuals or process sensitive data on a large scale.

The position of DPO comes with additional compliance requirements, “which can be quite strict”, Sampedro said, suggesting instead that companies that do not meet the threshold to appoint a DPO under the GDPR should to build a data governance structure and “appoint someone to take care of data privacy, but that person does not need to be a DPO under the GDPR”.

The panel was in agreement that those firms not obliged to appoint a DPO should not take their GDPR responsibilities any more lightly. Lotti clarified: “If you don’t appoint a DPO it does not mean you shouldn’t have a data governance programme.”

Tedman added: “The responsibilities that would be taken by the DPO—ensuring that you understand your data protection obligations, ensuring that you have good knowledge of the data within your organisation—are key, and somebody within the organisation needs to take those responsibilities on.”

Finally, Tedman outlined a GDPR “to-do list” for investment managers, instructing attendees to ensure they understand the regulation, their responsibilities and obligations; to build up their personal data inventories; and to undertake risk assessments to review their existing measures and identify any gaps. Unless a firm fully understands its own environment, it is “pretty much impossible to secure it”, he said.

Companies should start to implement the appropriate technical measures, create records of processing, and review their operations, documents and service provider agreements—updating them where necessary. Tedman added that “a number” of vendors in the investment management space “would not pass GDPR inspection today”.

Although there is almost a year until the final GDPR implementation date, Lotti warned that this preparation should be considered “a regulatory priority”, and that it should be robust, as many firms have layers of technology and procedure that could be concealing non-compliant activity. Lotti said: “Once you start peeling back that onion, there can be a lot of surprises.”

The latest features from Asset Servicing Times
Industry participants discuss how factors, such as financial technology, have changed the role of transfer agents
After many years in the making, MiFID II has now become part of the regulatory furniture in Europe. However, the regulation’s first 30 days revealed lingering concerns around the scope of the changes
Join Our Newsletter

Sign up today and never
miss the latest news or an issue again

Subscribe now
Although MiFID II came into play on 3 January this year, now is not the time to relax as the job is only half done, says Peter Moss of SmartStream
With 2018 being a busy year for regulation in the financial services industry Jon Trinder and Matt Gibbs of Linedata discuss what firms should be working on around MiFID II, as well as the roll out of GDPR in May
With the industry in perpetual change, it’s important for firms to work together to take advantage of big data, according to Roy Kirby of SIX
As technology developments shape the world around them, financial services firms are starting to adapt. This year’s Sibos conference outlined where the industry is settling in, and where there are still milestones to pass
Rocky Martinez considers how AI can help improve post-trade processes, and how SmartStream’s new reconciliations solution is moving a step in the right direction towards helping firms keep costs at sustainable levels
New regulations, new competition and new cost pressures mean custodians and sub-custodians have more balls in the air than ever before
View features section
Country profiles
The latest country profiles from Asset Servicing Times
Luxembourg’s asset servicing industry has blossomed to boast a substantial portion of types of funds in need of back and middle office functions, and now Brexit may offer an opportunity for further growth
In order to stand out from competitors, Malta has resorted to innovative regulation, says to Joseph Camilleri of BOV Fund Services
Securities Lending Times

Visit our sister site
for all the latest securities lending news and analysis
Julien Kasparian, head of Hong Kong at BNP Paribas, explains the financial services industry in Hong Kong and how it competes globally
The Asian market may be improving on the harmonisation front, but the situation is still far from ideal. Experts discuss what there is still left to do
Brazil is hogging the limelight from its South American neighbours. But, although reforms are in full swing, there is still work to be done
No nation is an island, and the Polish CSD has post-trade services to cater to all of Central and Eastern Europe, says KDPW’s Iwona Sroka
In a region as geographically, culturally and economically diverse as Asia, funds passports have a tricky road ahead if they’re to redefine the industry
Amid cross-border restrictions and tightened belts, Luxembourg’s kingdom of real estate investment won’t be crumbling any time soon
View country profiles section
The latest interviews from Asset Servicing Times
Chris Meader, founder of the North American Fund Administration Association, discusses his new start-up association, which aims to provide a forum for administrators to understand the risks, concerns and the opportunities the industry is facing
View interviews section