2018 will see a raft of new regulation that will impact the funds industry. Following last month’s piece on the Base Erosion and Profit Shifting initiative, here we take a look at the forthcoming General Data Protection Regulation.
Given the massive rise in the uses of data over the past couple of decades, the EU will in May update its 1995 data protection directive with a new General Data Protection Regulation (GDPR).
Under the complex new set of rules, asset managers who choose to oursource data management will be particularly impacted.
The regulation, which was over five years in the making, makes a distinction between ‘data controllers’ (those that own the data) and ‘data processors’ (those that don’t).
Firms that outsource the processing of data will also have to be aware of their role and responsibilities as they will have to be more vigilant about how their service providers are using and processing data.
Administrators can therefore expect to be subject to more oversight and due diligence.
One of the things that it will be necessary to do will be to determine where the liability of responsibility lies in an outsourcing relationship between fund managers and their administrators.
When third-party administration firms collect data on behalf of the fund manager, the administrator may become the data controller on the managers’ behalf, so the GDPR will also affect the administrator.
Managers will also have to consider whether they should be categorised as a data controller or a data processor, how their firm processes data, what systems they use and how that data is protected (an issue that would almost certainly arise if a firm uses cloud-based systems).
Data that managers hold on their staff – from human resources files to employment contracts and bank records – is also covered by the directive.
With five months to go until the GDPR enters into force, the prospect of fines for non-compliance is helping to concentrate managers’ minds.
These could amount to as much as 4% of turnover or €20 million for a data breach.
People will be able to ask for a copy of all data held on them, ask for it to be deleted (the so-called “right to be forgotten and to erasure”) or ask to have data transferred to a different service.
The GDPR will also have implications for a firm’s cyber security as any fund manager who outsources data management to administrators will have to ensure that the administrators are doing what they should be doing and have sufficient controls as part of a data protection impact analysis.
In addition, administrators will have to manage any transfer of data and ensure that they can track the progress of that data at all times along with the requisite controls, as part of a detailed data flow analysis.
Supervisory authorities will have to be notified of a subject data breach within 72 hours of the breach being discovered.
Even when the exposure is not serious, companies will have to keep records internally.
Firms will also have to ensure that their systems and reporting tools are fit for purpose.
Another consideration for both managers and administrators will be the appointment of a data protection officer, if they haven’t already appointed someone to fill that position.
The requirement to appoint a data protection officer applies only to public sector firms or those that employ 250 staff or more.
Firms will also have to consider the data protection implications when data is transferred across borders, especially if it goes outside of the EU, and the need to provide constant visibility of data and the consent of the data subjects.
Firms will also have to consider the privacy notices that they send to clients about the collection of their personal data.
The GDPR has extraterritorial reach, meaning it will apply not only in the EU, but wherever the personal data of European citizens is being processed.
It comes into force on May 25, 2018 and will – despite Brexit – apply in the UK until 2019 at least, along with the remaining 27 EU member states.
©2018 funds europe