The European General Data Protection Regulation, which will come into force on May 25, 2018, requires companies, including investment managers, funds, banks, and broker-dealers, with operations in Europe or information about individuals in Europe, to comply with a broad set of data privacy and security obligations. This includes being transparent about the personal data they collect from European data subjects and its use in managing investments. Investment managers, funds, banks, and broker-dealers will need to provide notices to individual investors and other employees at institutional investors whose personal data is collected for “know your client” checks and similar anti-money laundering requirements. The notices must specify how the data is being processed and what the individual’s rights are relating to their personal data. Funds also have obligations to protect the data and, on request, to provide access to it, restrict its processing, and to erase it. Investment managers with access to fund investor data are required to protect the data and use it only for the purposes of the funds.
The new General Data Protection Regulation (GDPR) will be in force on May 25, 2018, and will be effective in the European Union (EU) immediately on this date. European countries will also implement their own local data privacy laws to supplement the GDPR as there are some provisions, such as those relating to data subject access rights and processing criminal conviction data, which allow local laws to be implemented to vary the GDPR requirements. After the United Kingdom (UK) exits from the EU, likely in 2019, the UK government will need to enact domestic data privacy legislation to replace the GDPR. The UK’s draft Data Protection Bill has now been published and incorporates and supplements the GDPR. Additionally, the GDPR itself will remain relevant to UK businesses that target the EU market in the same way as other non-EU businesses. US organizations and other international entities need to be mindful of the variations between European data privacy laws when dealing with personal data of EU, UK, or Switzerland-based residents.
FCA and ICO JOINT STATEMENT
On February 8, 2018, the UK’s Financial Conduct Authority (FCA) and the data protection authority, the Information Commissioner’s Office (ICO), issued a joint statement that compliance with the FCA rules and the GDPR is required for regulated firms processing personal data. They also said:
Compliance with GDPR is now a board level responsibility, and firms must be able to produce evidence to demonstrate the steps that they have taken to comply. The requirement to treat customers fairly is also central to both data protection law and the current financial services regulatory framework. When the FCA makes rules, we take into account how our requirements will affect the privacy interests of individuals such as firms’ customers and employees, and are open and transparent on why we have made rules in the way that we have.
Both the FCA and ICO plan to work together to support regulated firms in how they can comply with both regulatory regimes.
TERRITORIAL SCOPE OF THE GDPR
The GDPR has extraterritorial effect and applies to
- processing in the context of activities of data controllers and data processors established in the EU, whether or not the processing takes place in the EU;
- the processing of personal data of data subjects who are in the EU by a data controller or data processor not established in the EU where the processing activities relate to offering goods or services to data subjects in the EU; and/or
- the processing of personal data of data subjects who are in the EU by a data controller or data processor not established in the EU where the processing activities relate to monitoring their behavior in the EU.
The extraterritorial scope of the GDPR represents a significant expansion of EU data protection obligations to cover all processing activities relating to EU-based data subjects, and as a result, will impact US organizations (including broker-dealers, investment advisers, banks, and funds) that have clients or investors that are EU-based data subjects or, for example, where the processing of personal data outside the EU is related to the activities of an EU-established institutional investor.
When the UK exits from the EU by March 29, 2019, the GDPR will only continue to apply to a UK organization to the extent that it falls within the extraterritorial scope summarized above. For purely UK processing activities relating to UK individuals, the GDPR will no longer apply. Instead, the new Data Protection Act will apply (currently in draft form). It incorporates the GDPR and supplements the principles as is permitted for all EU countries. Like the GDPR, it has extraterritorial effect so that it applies to non-UK businesses that offer goods or services to UK residents or monitor UK residents.
Most UK businesses are almost certainly going to need to transfer personal data to Europe and also to other countries outside the EU such as the United States. Currently, whilst the UK remains part of the EU, there are restrictions against transferring personal data outside the EU without consent from the individual, other than to certain “adequate” countries such as Canada or Switzerland or unless the business has in place a legally permissible mechanism, such as model clauses or binding corporate rules or, for the United States, organizations certified under the Privacy Shield arrangement. The United States is not an “adequate” country. The UK government will need to negotiate the UK’s “adequacy” decision from the European Commission as part of the Brexit arrangements.
PROCESSING OF PERSONAL DATA UNDER THE GDPR
Where the GDPR applies to the processing of personal data, EU companies should conduct an initial assessment on whether they or their affiliates are acting as data controllers or data processors in these processing activities. This is because the greatest burdens under GDPR fall on data controllers, as discussed below. Investment managers are likely to act as data processors when managing personal data on behalf of their funds. They are, however, likely to act as data controllers where they use the personal data for their own purposes such as managing client accounts, conducting anti-money laundering checks, or where they otherwise determine the means of processing the data, including for marketing purposes. The funds themselves are likely to be data controllers with greater obligations than data processors under the GDPR.
The data controller is ultimately responsible for compliance with the data protection principles:
- Lawfulness, Fairness, and Transparency: Personal data must be processed lawfully, fairly, and in a transparent manner in relation to individuals
- Purpose Limitation: Personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered to be incompatible with the initial purposes
- Data Minimization: Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed
- Accuracy: Personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
- Storage Limitation: Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
- Integrity and Confidentiality: Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
CONSENT AND PRIVACY NOTICE REQUIREMENTS
Personal data is lawfully processed if the data subject has consented to the processing or a permitted derogation applies such as legal or contractual necessity. Further, there are strict conditions imposed on whether consent is validly obtained by the data controller.
The data controller must provide a privacy notice to data subjects regarding the processing of their personal data. The information in the privacy notice is summarized below and must be provided at the time of the collection of the personal data or, if it was collected via a third party, within a reasonable period of being collected. The privacy notice must specify certain information, and ensuring that privacy notices are compliant with the GDPR is likely to be a complex process for many organizations. The privacy notice must be concise, transparent, intelligible, and easily accessible, written in clear and plain language, and provided free of charge.
There are also direct obligations on data processors under the GDPR regarding
- the security of processing operations;
- appointment of a data protection officer;
- the engagement of sub-processors; and
- the notification of any breach of data protection obligations (including data security incidents) to the data controller.
The GDPR includes a mandatory obligation to notify the data protection authority within 72 hours of becoming aware of the breach (except for breaches which are unlikely to cause harm to the affected individuals’ privacy rights) and, in certain circumstances where there is a high risk of harm to their privacy rights, to notify the individuals affected by the breach.
RECOMMENDED STEPS FOR INVESTMENT MANAGERS TO COMPLY WITH THE GDPR
Organizations can consider taking steps to prepare for the GDPR such as the following:
- Conduct an assessment of what personal data is processed or otherwise stored or held by the organization and/or its affiliates, where it is held, the categories of data subjects (e.g., employees, contractors, contact points at commercial organizations, customers, etc.), the nature of the personal data (including if it is sensitive personal data), for how long it is being retained, whether it is current or historical, how it was obtained (so far as possible), how it is used and with whom it is shared, and the locations of the recipients of the personal data (i.e., identify the data flows)
- Review the consents (or other applicable lawful processing derogations) obtained for the processing of the personal data and prepare privacy notices to data subjects for this processing and update any existing policies as necessary under the GDPR
- Identify any international data flows and any applicable data transfer agreements (including model clauses approved by the European Commission) or pursuant to the Privacy Shield and ensure that all international data flows are conducted lawfully
- Review and update as necessary any procedures for responding to data subjects accessing personal data or exercising any other rights such as rectification, erasure, and restriction of processing their personal data
- Review data security processes and review and update any data security incident response plan (or prepare one) which includes the obligation to notify the supervisory authority within 72 hours for certain high-risk incidents
- Consider if the organization (or one of its EU affiliates) needs to appoint a data protection officer. (This is required where there is regular and/or systematic monitoring of individuals or processing on a large-scale of sensitive personal data or criminal conviction data)
- Review and, as necessary, amend processing provisions with data processors to comply with the GDPR requirements
IMPACT ON US FINANCIAL INSTITUTIONS
GDPR will impact US financial institutions, including broker-dealers, investment advisers, banks, and funds that do business in the EU. US financial institutions might find that they can rely on existing policies and procedures in complying with GDPR, such as those adopted to comply with Regulation S-P under the US federal securities laws, or Consumer Financial Protection Bureau Regulation P in the case of banks and other consumer financial services firms. The chart below identifies key requirements of GDPR that might, depending on the circumstances, be satisfied by steps taken by firms to comply with Regulation S-P and Regulation P.
Considerations for US financial institutions include, for example, (1) how to categorize information based on why the information was lawfully obtained (e.g., customer consent, performance of a contract, legal obligations); (2) how to define ways to satisfy the storage limitation, including data mapping and erasure; and (3) what policies and procedures to adopt to ensure information is erased when required (e.g., upon customer request, by law) or when the information can still be retained (e.g., regulatory requirements).