Welcome back from the holiday season. Feeling refreshed? Great …
Let’s talk about the General Data Protection Regulation – aka GDPR – from the European Union that is due to swing into effect on 25 May 2018.
Whether you are in the UK, the EU or elsewhere, if you deal with EU clients, you now have less than four months to get your data infrastructure, tech policies and related procedures in shape. It’s yet more regulations just after MiFID II, but we knew this was coming and we had years (the draft legislation was published in 2012) to prepare ourselves for it. Nevertheless, there is still a sense of panic in the air, notably because there is a lot to do, but also because breaches of this new regulation could be severe with fines up to the higher of 4% of annual revenue or EUR 20 million. However, Article 83 and recital 150 of the GDPR make clear that fines must be proportionate and it is therefore highly unlikely that – except in the most exceptional and extreme cases – fines of this magnitude will emerge. The intent of the hefty fines seems to be much more of a punishment to those who would blatantly disregard their responsibilities under the GDPR.
GDPR is going to apply to all firms that hold or process individuals’ data. Most companies in the UK are already bound by the Data Protection Act (1998), but the GDPR goes further and places additional requirements on the handling and protection of such data. Monitoring processes and providing evidence that you did apply your testing (including training your staff) are key elements of any future defence and demand some reorganisation.
The GDPR will be directly effective in each EU member state, with the goal that the same rules will be applied uniformly within the EU. This marks a significant shift in the approach to data protection at a European level, which – until 25 May 2018 – relied on the national implementation of legislation in each EU member state through what was a “directive” and now is a “regulation” which applies directly.
In fact, we find ourselves in midst of the transition period in which we need to assess our current approach to data protection, undertake a gap analysis between the current approach and the requirements under the GDPR and implement any changes and improvements that are required to achieve demonstrable compliance with those GDPR requirements.
An important question to ask is if – whilst the GDPR is an EU regulation – the UK will be bound by it after Brexit? The short answer is yes. Brexit will also not affect the commencement of the GDPR. Moreover, like the Data Protection Act, the GDPR contains the concept of “equivalence”, which guarantees that a country that has a commensurate level of data protection can work with the EU. It is likely that the UK will strive to maintain such a standard of data protection. Many of the UK-hosted pan-EU financial technology companies will quite certainly rely on equivalence and would be adversely impacted otherwise.
What does GDPR mean for asset and wealth managers? The Information Commissioner’s Office (ICO) – the UK’s independent authority appointed to uphold information rights and provide guidance on legislation such as the GDPR – has set out a series of 12 steps that all companies should be undertaking ranging from reviewing the privacy notices used during the collection of personal data, through documenting personal data to familiarising themselves with the requirements of Protection Impact Assessments and ‘Protection by Design’. The ICO has also published specific guidance on key GDPR topics including the changes to Privacy Notices and they have committed to publishing further guidance on the use of Consent (as a mechanism for holding and processing personal data) and Contracts & Liability in late 2017. Asset and wealth managers should be reviewing their provisions for data protection considering the GDPR and the ICO’s initial guidance.
The GDPR involves a complex set of concepts, principles, rights and rules, thus it comes to no surprise that misinterpretations are omnipresent. Things get even more complicated when you keep in mind that this new law will coexist side-by-side with current legislation. One common misunderstanding, for example, is that under the GDPR, consent is the only lawful ground for direct marketing. However, one way to implement direct marketing activities will be the “legitimate interests” of those promoting their goods and services. Furthermore, under the e-privacy regime, e-mail marketing is subject to a specific consent requirement that has to meet the GDPR standards of consent. Yet, the exemption from that rule (the “soft opt-in” which resembles an “opt-out”) is still applicable in specific cases. In practice, this means that marketers who have lawfully relied on this exemption should be able to resume to do so – subject to legal advice – after the GDPR becomes applicable.
Privacy by design and by default
The GDPR puts personal data protection front and centre as a fundamental right of the individual. The significant strengthening of data protection rules – which is inherent in the GDPR – and especially the sanctions under the GDPR, emphasise the need to make sure that each organisation has full control into the data flows in terms of investor and other personal data which it controls or processes. Each firm also has to ensure that it puts appropriate notifications, processing arrangements, transfer arrangements and security arrangements into place to allow and protect the fundamental rights and freedoms of individuals when processing their personal data.
With this in mind, organisations may benefit from adopting a holistic approach – giving consideration to the legal, technical and operational aspects simultaneously, thus allowing for a smooth and cohesive transition to GDPR compliance. An example of how this approach can be put into practice follows:
- Engagement with management: Depending on a firm’s current approach to data protection and information security, becoming GDPR compliant could involve a serious commitment for the business. Foundations will have to be put in place to ensure ongoing compliance. It might be necessary to inform the management and discuss the strategy at the start of the project.
- Appointment of internal resources: It is suggested to identify whether your organisation requires to appoint a Data Protection Officer (DPO). It might also be a good idea to identify a core GDPR team representing key operational areas of the business to manage the compliance project. Do not appoint a DPO unless it is required for you to do so as you may incur related obligations which would not otherwise be applicable.
- Data Mapping: Mapping the data flows in and out an organisation is useful to get a better insight into relevant data protection issues for the organisation and form a foundation for the ongoing compliance project.
- Identification: Using the results from the data mapping exercise, your organisation can identify areas of non-compliance and prepare a strategy plan with implementation timescales.
- Training: A substantial part of GDPR compliance and any further defence is training for staff members who are involved in data processing. Once a strategy plan has been identified, staff can be trained on GDPR standards generally and any new policies and processes that will be implemented within the organisation ahead of GDPR.
- Implementation: Implementation of the strategy plan (e.g. reviewing and updating privacy notices, outsourcing arrangements, data sharing arrangements, etc.).
- Post GDPR: Once the requirements of GDPR have been met, an ongoing compliance programme should be adopted and monitored going forward. This could include regular training sessions, undertaking privacy impact assessments for new systems or products, audits, etc.
So, to go back to our initial question if there is a monster lurking under the bed: For Laven, the answer is no. In fact, the GDPR brings lots of advantages and opportunities with it, some of which are simplification (organisations will no longer be required to register with a data protection authority in each Member State in which they are established); consistency (through its very nature of being a regulation instead of a directive, principles underpinning the GDPR should be enforced consistently across the EU); harmonisation (the standardisation that the GDPR is intended to provide will allow organisations to follow one set of rules no matter where they are based); cross-border data transfers (binding corporate rules and codes of conduct are finally confirmed as valid methods of legitimising otherwise prohibited transfers of personal data outside the EEA); clean house (the GDPR will require a review of data handling and processing procedures, which represents a great opportunity to review and map your data flows – and restructure them not only for compliance, but also for business efficiency); clarification (the GDPR has clarified certain key concepts such as anonymization and pseudonymisation); and innovation (for organisations not shy to think outside the box, concepts such as privacy by design, profiling and data portability present an opportunity not only to innovate, but to build customer confidence and trust and thus drive sales).
Today, data is generally the most valuable asset a company holds – and the same is true for individuals. The GDPR recognises this and is aiming to bring the law closer and more in line with the real world. We should celebrate this new business convenience and accept the immediate burden that is placed on the industry as a necessary development. Privately, all of us also stand to benefit, notably from a reduction of spam and sales calls!
Laven Partners is here to help ensure your firm and staff are up to speed with the scope and responsibilities of GDPR with our GDPR Services, which include training, gap analysis, providing memorandums for the board and ongoing monitoring through our Digital Compliance Assistant software.
Contact us here for more information.