As one of the leading global corporate and fiduciary service providers, and having acted on numerous UK securitisation transactions, Maples Fiduciary recognises the challenges that an evolving regulatory landscape has presented to this market. The General Data Protection Regulation ("GDPR"), introduced by the European Parliament, the Council of the European Union and the European Commission, comes into effect on 25 May 2018 and intends to strengthen and unify data protection for all individuals within the European Union ("EU"). Given the significant changes and impact on businesses this will have, we remain committed to partnering with our clients and legal advisers to ensure preparedness as the effective date approaches.
Today’s increasingly data-driven world and rapidly evolving business and technology landscape has necessitated an update to the regulatory environment in the EU. Depending on the underlying assets of a securitisation, significant amounts of data may be received, processed and held by various transaction parties. While the current directive has helped harmonise data privacy laws, the incoming GDPR is a much more robust piece of legislation and will impact various participants in the UK securitisation market. Key points of the GDPR, among others, include:
- Increased territorial scope: The GDPR extends the jurisdiction of data privacy regulation to companies located in the EU as well as foreign companies that process the personal data of subjects residing in the EU.
- Consent: The request for consent must be given in an intelligible and easily accessible form with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and companies must ensure the process for withdrawing consent is as easy as it is to give it.
- Data subject rights: The rights of individuals under the new legislation will increase significantly and include: mandatory breach notification; the right to request whether their personal data is being processed, where and for what purpose; the right to be forgotten, ensuring that data controllers erase personal data held on individuals in certain situations, cease further dissemination of data and have third parties halt processing of data; and the introduction of data portability whereby the individual can receive personal data concerning them and transit it to another controller.
While the main principles in the existing directive still hold true, the GDPR aims to update data protection standards to fit today’s technology landscape. There is now more personal data being created and processed than ever before and the GDPR will provide the foundation to support protecting the rights of individuals now and through future waves of innovation.
The UK government has confirmed that despite its decision to leave the EU, this does not negate the commencement of the GDPR. As such, there will be a significant impact on systems and security and UK organisations must be ready in order to avoid penalties for non-compliance which can reach the higher of 4% of annual global turnover or €20 million.
While there may be questions that arise regarding how GDPR will apply to once the UK is no longer an EU member state and the impact this may have on issuers and legal title holders within the securitisation market – who are deemed the data controllers – this should not distract from the need to remain compliant in the short term, working with service providers and legal advisors to have the necessary agreements, systems and processes in place.