On 15 December 2015, the text of a new EU General Data Protection Regulation (GDPR) was agreed by the EU Parliament and Council. This agreement marks the largest overhaul of EU data protection rules since 1995. The new rules aim to provide individuals with greater rights regarding how their personal information is used and stored by companies and are scheduled to enter into force in 2018. Practically speaking, this means that fund companies and asset managers should now proactively plan their strategies to deal with the new requirements and obligations under the GDPR.
Some key points to note are:
- Fines of up to 4% of global turnover (or €20 million – whichever is higher) will be imposed for breaches. The responsibility for privacy breaches extends to data processors so both the data controller and data processor will be jointly liable for any damages.
- Consent must be freely given, specific, informed and unambiguous. Silence, pre-ticked boxes or inactivity will not constitute consent.
- The validity of consent will expire once the purpose for which it was sought ceases, which may impact processes around marketing and business development.
- Greater specificity regarding the content of privacy notices and policies will be required and there may be enhanced record keeping requirements.
- Individuals will have the right to request the deletion of data relating to them which is inaccurate, irrelevant or outdated.
- Any breaches due to a cyber-attack must be reported to the national supervisor within 72 hours.