EU Imposes Strict Regulatory and Data Protection Compliance Measures
March 16, 2018
By Louis Bruno
Are You Ready for the General Data Protection Regulation (GDPR)?
The European Union has imposed a strict data protection regulations on firms established in the EU and on all firms that control or process European personal data. All firms subject to the regulations must comply by May 25, 2018.
Impact to Firms Outside the EU
- Data Breach Notifications must be provided to regulators and individuals whose data was compromised.
- Right To Be Forgotten must be provided to all individuals, which requires firms to be able to destroy personal data that may reside on multiple systems.
- Privacy Impact Assessments must be conducted defined data processing operations.
- Proactive Privacy Controls must be incorporated into daily operations and new business processes.
Impact to U.S. Asset Managers
Many U.S. fund managers are “controllers” of EU personal data under the GDPR definitions and will need to implement a data governance and control framework to comply with the regulations. To assess the exposure and the ability to comply with the regulations, fund managers must be able to answer the following questions:
- Do we capture EU customer data? Data subject to the regulation must be easily identifiable in offering documents, LP agreements, client and vendor documents or other related files.
- Where does the data reside? GDPR expects firms to be able to identify and classify EU personal data that is stored internally or with a third-party administrator.
- Are the current policies and controls sufficient? – Fund managers will need to have the requisite compliance framework to allow for the identification and classification of EU personal data.
- Can we collect the required consent? Fund managers will be required to document consent from the data owner, which may include current and prospective investors, sub-advisors, and other participants.
STEPS TO TAKE
Conduct GDPR Risk Assessments to assess your firm’s current policies and data management processes.
Risk assessments should be low-impact to the organization and seek to answer the following questions:
- Does the firm control or process personal data that is subject to GDPR?
- Does the firm have the data privacy and technology policies required to support GDPR?
- Does the firm have the governance and control framework required to support the policies?
Build or enhance the existing framework to address GDPR requirements in the following areas:
- Data Privacy and Information Risk Management Policies
- Technology Infrastructure and Data Storage
- Data controls and audit trails
- Customer Consent and Disclosure
Monitoring & Training
A GDPR Risk Assessment should be incorporated into firm processes, providing on-going monitoring of the firm’s Data Privacy and Information Risk Management policies.