EU Imposes Strict Regulatory and Data Protection Compliance Measures

Are You Ready for the General Data Protection Regulation (GDPR)?

The European Union has imposed a strict data protection regulations on firms established in the EU and on all firms that control or process European personal data. All firms subject to the regulations must comply by May 25, 2018.

Impact to Firms Outside the EU

GDPR definitions are broad and firms outside the EU are struggling to understand the complexity and how the permutations of rules apply to their data. Firms doing business in Europe are concerned that their existing data privacy policy and control framework may not support the GDPR rules, such as:

• Data Breach Notifications must be provided to regulators and individuals whose data was compromised.
• Right To Be Forgotten must be provided to all individuals, which requires firms to be able to destroy personal data that may reside on multiple systems.
• Privacy Impact Assessments must be conducted defined data processing operations.
• Proactive Privacy Controls must be incorporated into daily operations and new business processes.

Impact to U.S. Asset Managers

Many U.S. fund managers are “controllers” of EU personal data under the GDPR definitions and will need to implement a data governance and control framework to comply with the regulations. To assess the exposure and the ability to comply with the regulations, fund managers must be able to answer the following questions:

• Do we capture EU customer data? Data subject to the regulation must be easily identifiable in offering documents, LP agreements, client and vendor documents or other related files.
• Where does the data reside? GDPR expects firms to be able to identify and classify EU personal data that is stored internally or with a third-party administrator.
• Are the current policies and controls sufficient? – Fund managers will need to have the requisite compliance framework to allow for the identification and classification of EU personal data.
• Can we collect the required consent? Fund managers will be required to document consent from the data owner, which may include current and prospective investors, sub-advisors, and other participants.

STEPS TO TAKE

Risk Assessments

Conduct GDPR Risk Assessments to assess your firm’s current policies and data management processes.

Risk assessments should be low-impact to the organization and seek to answer the following questions:

• Does the firm control or process personal data that is subject to GDPR?
• Does the firm have the data privacy and technology policies required to support GDPR?
• Does the firm have the governance and control framework required to support the policies?

Remediation

Build or enhance the existing framework to address GDPR requirements in the following areas:

• Data Privacy and Information Risk Management Policies
• Technology Infrastructure and Data Storage
• Data controls and audit trails
• Customer Consent and Disclosure

Monitoring & Training

A GDPR Risk Assessment should be incorporated into firm processes, providing on-going monitoring of the firm’s Data Privacy and Information Risk Management policies.