The long awaited General Data Protection Regulation (GDPR) came into force on 25 May 2018. It impacts how financial services organisations store, manage and process personal data about EU citizens. Non-compliance may lead to fines of up to €20m or 4 per cent of global annual turnover (whichever is higher).
GDPR represents a significant change to how personal data is collected and handled. It affects not just organisations based in the EU, but any organisation that conducts business there or holds and processes information relating to EU individuals.
When it comes to adopting GDPR, financial services institutions are presented with both advantages and disadvantages. Since the financial crisis, the sector has seen a range of new regulations come into effect, such as FATCA and MiFID II, so organisations should be educated to some extent with the level of change that is needed for such large-scale regulatory developments. Many organisations have already invested in resources to react to such new compliance requirements. However, GDPR shouldn’t be underestimated. Compliance can be challenging and therefore needs specific focus on where scope data resides in an organisation and how it is subsequently controlled.
A primary focus area is the type of data that is collected, processed and stored. For hedge fund organisations, this includes personal data on investors and investor personnel, employee’s data, data on individuals at service providers, potential regulator contact details, website user data and data linked to wider organisations.
Organisations and individuals that determine the purpose and means of data processing are classified as Data Controllers and are subject to a wide range of GDPR regulatory obligations. Therefore, a hedge fund manager will generally be a controller of the investor personal data held. Moreover, a hedge fund, overall, will be a controller of the investor personal data held.
Under GDPR there is also an enhanced focus on Data Processers. If an organisation processes personal data for “purposes and by means determined by others”, such organisations are classified as Data Processors. The regulatory requirements for Data Processors under GDPR are also enhanced. Service providers such as fund administrators and outsourced providers of, for example, HR and IT and services will be processors in respect of many activities.
So, what does this mean for financial services organisations? Some of the primary requirements include:
- obtain explicit consent from individuals before processing their data;
- adopt processes that allow an individual’s right to be forgotten, right to data portability and right to object to data profiling to be met;
- appoint a Data Protection Officer (DPO) if completing large-scale data processing;
- ensure third-party contractors meet GDPR requirements;
- ensure Data Controllers keeps records of personal data and processing activities;
- ensure Data Processors enhance their processes to meet GDPR requirements and
- report data breaches to the relevant authority within 72 hours and notify affected individuals.
In this regard, for financial services organisations, it is important to know what data is stored and where it came from. Moreover, GDPR has led to refreshed policies, processes and procedures with regards to data governance.
The first year of GDPR
As financial services organisations head into the first year of GDPR implementation, it is important to test whether their new processes will help meet GDPR obligations. Will they protect organisations in the way they expect, and, are they robust enough to keep sensitive data safe? Only by evaluating controls will organisations be able to confidently answer these questions.
GDPR also emphases a proactive approach to data risk management. In this regard, a Privacy Impact Assessment (PIA) should be conducted for any new IT systems or change in business process that involves scope data. A PIA can reveal any gaps in control frameworks before the change occurs to reduce the risk of a potential data breach.
It is good practice to carry out a PIA before new processes take effect. This will allow organisations to find and address control issues early on, giving them the best chance of avoiding reputational and financial losses if a data breach was to subsequently occur.
An educated and prepared workforce is a fundamental requirement of continued GDPR compliance. Trained frontline employees will help organisations recognise threats. This will help ensure that any data breaches are reported within the required 72-hour window. Knowledge levels are currently generally high given internal development we have seen within the financial services sector and general media communications. Maintaining this momentum will be key, however. At the same time, it is important to review whether those tasked with spearheading GDPR internally have the right skills and support to effect change and maintain governance.
Similarly, organisations should also evaluate whether their Data Protection Officer (DPO) (or equivalent) fulfils the best practice requirements. Many organisations have asked their IT officer to take on the position. But expecting someone to check their own actions is inherently problematic; it can be difficult to identify issues and potential conflicts of interests.
Key focus areas going forward
Run a PIA before a change occurs
This will help organisations understand whether their new systems, processes, procedures and policies are fit for purpose.
Keep building awareness
Beyond the awareness and training delivered to data, simple methods such as screensavers and posters offer an easy and effective way to remind staff about the continual need for data integrity and protection.
Be clear about data handling processes
Financial services organisations typically hold large volumes of data about workers, customers and investors, including their address, date of birth, bank account details and medical records. Having a thorough understanding of in-scope data, and where changes in systems and data occur in the future, is of vital importance for organisations to underpin their data governance framework.
Internal governance and data breach incident response processes
Ensure that data privacy controls and incident response arrangements are well designed and tested for effectiveness. Any weaknesses can lead to a data breach and a potential fine. Moreover, it is also important to understand that fines won’t necessarily be the ‘appropriate’ course of action to be determined by the local government agency (for example the ICO in the UK). Other sanctions available will include data protection audits, warnings, reprimands, and enforcement notices. Even more damaging than a fine, however, will be the ICO’s (or equivalents’) power to stop an organisation from processing data, impacting its reputation and its profit.
Overall, GDPR presents a risk but also an opportunity for financial service organisations. Cleary, there is an increased focus on the importance of robust data governance frameworks under GDPR – and the implications of a data breach will be much greater. However, by delivering greater transparency and accountability on how investors’ data is managed and controlled, the outcomes of GDPR can also enhance investors’ confidence in how their personal data is managed. This can consequentially lead to greater engagement and confidence to encourage investors to provide their personal data, which can only be a benefit to the financial services sector. Moreover, organisations on a global basis that can demonstrate a data governance framework in line with GDPR can maximise the opportunity for competitive advantage that GDPR compliance can offer,