General Data Protection Regulation for fund managers: time to act
The General Data Protection Regulation will come into play in May 2018, and should be on the radar of fund managers, investment advisers, and every company that processes data related to living EU residents.
Non-compliance will lead to significant penalties including a fine of up to €20m or up to 4% annual turnover. Considering one in four businesses are unaware of GDPR, the sanctions pose a real threat.
It is already clear that there will be significant work involved in meeting the regulatory demands. This requires a collaborative effort from the organisation’s legal, compliance, human resources, information technology, and any business units that interact with subject data.
Typically, fund managers will need a readiness assessment to identify their capabilities to comply with the new framework and then follow that up by identifying and documenting the legal basis for collecting data, how it is processed, used, and protected. The scale of the effort required is such that many smaller organisations are considering the use of a third party as they lack the internal expertise and tools to identify the gaps that must be addressed. If that route is followed, organisations must perform extensive due diligence on these third parties handling their subject data, including reviewing the third parties’ information and cyber security policies and procedures, security attestation reports, and on-site visits to their data centres. This is an ongoing process and frequency should be determined with a risk-based approach.
Third party and vendor contracts must be reviewed for specific data handling terms and requirements. New contracts will have these provisions, but the bigger challenge will be revisiting existing agreements that need revisions to add the additional terms and conditions.
The headlines on GDPR have also drawn attention to the data breach notification, the right to be forgotten, and the need to appoint a Data Protection Officer. In the event of a suspected data breach, GDPR requires organisations to identify categories of data and number of data subjects affected, and document measures taken to mitigate the breach. Notifying the supervisory authority of a subject data breach is required within 72 hours upon discovering it. Even if the exposure is not serious, the company must keep records internally.
Accidental or unlawful destruction, unauthorised disclosure, alteration, loss, or access to subject data is considered a data breach. Therefore, organisations must have clearly defined procedure plans to identify, categorise, and report data breach incidents. Data mapping exercises can identify where subject data is stored, where it travels, who has access to it, and how it’s protected. All plans to protect against or mitigate a breach should be routinely tested against relevant threat scenarios.
The right to be forgotten, reinforced in Principle 5 of the current Data Protection Act, has sparked further confusion. ‘The right to be forgotten and to erasure’ is not always a legitimate request and does not stand as an unconditional right. Although firms should have procedures in place to comply with any request, there may be instances where the request itself does not meet the European Court of Justice’s criteria and can be avoided.
The requirement to appoint a Data Protection Officer applies only to firms who operate in the public sector or employ 250 staff. However, the regulation does recommend a qualified individual to be appointed with responsibility for data protection at all times. So for most firms, this will be the action needed.
The GDPR deadline is less than a year away, and wealth managers need to extensively review their current data protection policy and procedures against the requirements of the regulation. This is going to take considerable cross-company collaboration and there is significant ground to cover. The time for preparation is now so any gaps must be identified sooner rather than later, and paired with a suitable action plan to meet the obligations of GDPR.
Michael Corcione is managing director Cyber security and Data Protection Consulting Services, Cordium
 Figures from a survey by Ipsos Mori and Brodies LLP