The final days for compliance with the General Data Protection Regulation (GDPR) are upon us. 2018 ushers in a new year and new privacy compliance requirements. In the past, global companies have been, for the most part, spared from many of the EU's more onerous privacy regulations. The GDPR changes that with an expanded scope that includes any company engaged in the transmission of data to or from the EU, regardless of where the company is located. Adding a painful sting to the rules, regulators could penalize non-compliant entities up to 20 million euros or 4% of worldwide turnover, whichever is greater.
Who, What, Where, When, and Why?
Global asset managers, UCITS, and AIFMD management companies are within the scope of GDPR and must conduct a data audit to determine whether their processes for handling data meet the new requirements. In doing so, however, asset managers may find challenges in the limited prescription regulators provided related to rule implementation. Managers have until May 25, 2018 to document their compliance. At a minimum, this means they should consider documenting each of the following:
- The reason for processing personal data
- The type of personal data maintained, where it is stored, and who has access to it (including third parties and other entities it may be shared with)
- How the data is being processed and how they can prove it's processed legally
- How the data is protected
- How the data is removed and destroyed when requested
- The process to monitor for breaches and what notification protocols are in place
Global asset managers with employees in Europe also need to consider their own employee data. Regulators consider all employee personal data within scope, including for individuals who live outside of the EU. However, there is an exception for non-EU asset managers if they can document that their EU business activity is “incidental,” or if they don't have a physical presence in the EU and do not actively market to clients in Europe. Even then, managers should monitor and review business activities with EU Entities on an ongoing basis to ensure they remain outside the scope of GDPR.
How to Prepare
Asset managers should consider appointing a data protection officer (DPO), or point person for dealing with EU regulators. While the regulation allows for delegation of this role to a third party, it could easily become a full-time function for many firms. The rules include a 72-hour reporting requirement anytime there is a breach of personal data, which may include accidental disclosure or potential exposure related to a system hack. Asset managers must keep the data audit up-to-date and be able to produce documentation demonstrating compliance for regulators. If the DPO identifies data processing or control activities contrary to the regulations, he or she should escalate to senior managers and, as required, to regulators.
One of the biggest challenges asset managers may encounter is the process of getting consent from clients for holding their personal data. Consent can be difficult to obtain, and clients can revoke their consent at any time, known as “the right to be forgotten.” Managers are allowed to obtain consent electronically if what the client is agreeing to is clear. It cannot be a negative election (i.e., opt-out), which is more typical with US 401(k) plans, for example. Instead, customers need to affirmatively declare (i.e., opt-in) that they agree. An exception to the consent rule is when a manager is keeping data for legal reasons, such as reporting income to tax authorities. This does not require consent. Asset managers continue to debate the practical implementation of how to apply investor consent to EU regulated funds, such as UCITS and AIFMD. At a minimum, managers should update application and subscription forms to account for GDPR requirements.
Under GDPR, companies should keep data only for as long as it's needed for processing related to the original purpose for which it was given. Once the purpose for processing has passed, the data should be destroyed. In addition, the GDPR applies to all information relating to an identifiable person, not just private data. Asset managers also need a legal reason to process information gathered from public sources like LinkedIn or Facebook. Similarly, EU citizens can now request that their information be deleted, unless it is being kept for legal reasons, such as anti-money laundering (AML) requirements.
GDPR requires managers to conduct a data protection impact assessment (DPIA) any time data processing could result in high risk to the individual, which could be when new technology is introduced or there is profiling of individuals. For example, if a manager opens accounts for individuals, it is likely regulators would consider such processing high-risk and would require a data protection impact assessment. The DPIA will outline the information processed, the controls in place to protect the data, and any gaps or residual risks.
A Chain is Only as Strong as its Weakest Link
While asset managers may contractually outsource data processing to a third party, they cannot outsource the compliance obligations. Each asset manager is responsible for maintaining adequate controls to protect the data they process. For global managers, another complicating factor is that they often use a single operating platform to gather data about clients and their accounts. Managers must now ask themselves whether it makes sense to put up walls within the system to isolate EU personal data. Managers should limit access to personal data to those that need the information to perform their job functions.
Because of the scope of the regulation and its global effect, it's important that asset managers alert all their employees to the potential impact of GDPR, including their boards and senior managers who can formulate plans to implement the regulation appropriately. It will be a complicated, time-consuming, and expensive proposition for most managers, but will ultimately safeguard the personal information of investors and mitigate the risk of certain data breaches in these complex times.
This article was originally published in the 2018 Regulatory Field Guide. The guide features insights from a number of our experts on key regulatory developments that will have the greatest impact for asset managers in the year ahead – and beyond. Visit bbh.com/regulatoryfieldguide to explore the guide.
This publication is provided by Brown Brothers Harriman & Co. and its subsidiaries (“BBH”) to recipients, who are classified as Professional Clients or Eligible Counterparties if in the European Economic Area (“EEA”), solely for informational purposes. This does not constitute legal, tax or investment advice and is not intended as an offer to sell or a solicitation to buy securities or investment products. Any reference to tax matters is not intended to be used, and may not be used, for purposes of avoiding penalties under the U.S. Internal Revenue Code or for promotion,marketing or recommendation to third parties. This information has been obtained from sources believed to be reliable that are available upon request. This material does not comprise an offer of services. Any opinions expressed are subject to change without notice. Unauthorized use or distribution without the prior written permission of BBH is prohibited. This publication is approved for distribution in member states of the EEA by Brown Brothers Harriman Investor Services Limited, authorized and regulated by the Financial Conduct Authority. BBH is a service mark of Brown Brothers Harriman & Co., registered in the United States and other countries. © Brown Brothers Harriman & Co. 2018. All rights reserved. 1/2018 IS-03631-2018-01-26 Expires 1/26/2020