The European Union (EU) General Data Protection Regulation (GDPR) goes into effect May 25, 2018. Officially, the EU’s GDPR increases data privacy and retrieval rights for EU citizens by regulating entities who interact with EU individuals. For financial services firms, this means merely consulting with a potential investor or customer in the EU could bring your organization into scope. The GDPR mandates in-scope organizations to collect only necessary information on EU individuals, as well as to store, process, and transmit data securely. At its core, the GDPR provides EU residents with the “right to be forgotten,” through data erasure upon the individual’s request.
Many financial services firms question how the EU’s GDPR applies to them, what challenges the sector faces, if the regulation has “teeth,” and what they can do right away to comply. Read on for answers.
Though the scope of the EU’s GDPR applies to anyone globally who supplies goods and services to EU individuals, financial services face unique compliance challenges. The list of U.S. financial regulators is extensive, and the EU’s GDPR adds on to the regulatory compliance overhead. More than 50% of global investment firms are unprepared for the May 25 GDPR compliance deadline. Of 250 investment firms surveyed, only 2% have GDPR policies and procedures in place, 59% are unready to comply with the 72-hour window to report a data breach affecting EU individuals, and 64% were ill-equipped to respond to an EU individual’s request to review and erase their personal data.1 With GDPR in effect, and so many financial services firms unprepared, it’s alarming when you look at the fines of GDPR non-compliance—€10-20 million or 2-4% of global turnover (or revenue), whichever one is greater.
Do any of the following questions apply to you as a financial institution?
- Do you offer goods and services to EU residents (including U.S. citizens living in the EU)?
- Do you have U.S. customers who have other financial accounts in the EU?
- Do you store, process, or transmit data pertaining to EU residents?
- Do you rely on third parties to store, process, or transmit data to/from the EU?
- Do you employ EU citizens (including employees with dual citizenship)?
- Do you have a website with EU language support (French, German, Italian, etc.)?
- Do you have a website with an EU domain extension (.eu, .fr, .ie, co.uk, etc.)?
- Do you offer transactions in euros or other EU-based currency?
- Do you have subsidiary locations in the EU?
If you answered ‘Yes’ to any of these questions, you likely need to comply with the EU’s GDPR and ensure any data collected on EU persons is gathered legally and is absolutely necessary, protected from misuse and exploitation, and erased upon an individual’s request.
Also, when evaluating your firm’s GDPR compliance needs, consider the following points2:
- AIFM and UCITS management companies—as well as umbrella and self-managed funds—are likely considered ‘data controllers’ under the GDPR.
- Fund administrators, distributors, investment managers, and depositaries are likely to be regarded as ‘data processors’ under the GDPR.
- Natural investors—or officers and employees of corporate entities—are likely to be holders of personal data under the GDPR.
If you are a financial services firm with fewer than 250 employees, you could have less reporting requirements to GDPR regulators. However, this may not be the case if data processing puts EU individuals’ data at risk, is frequently performed, or includes special categories of data. Even if you have under 250 employees, it is crucial to do your due diligence to comply with the GDPR—many clients and investors are aware of GDPR, have an expectation of privacy, and want to know how their personal data is managed. The way you handle personal data of EU persons, and how transparent you are about the process, could make or break a deal.
GDPR also introduces a new concept in European data protection law—pseudonymization—which is the process of rendering data neither anonymous nor directly identifying. Pseudonymization is the separation of data from direct identifiers so that linkage to an identity is not possible without additional information stored separately. Pseudonymization may significantly reduce the risks associated with data processing, while also maintaining the data’s usefulness. For this reason, the GDPR provides incentives for data controllers to pseudonymize the data they collect. Although pseudonymous data is not exempt from the GDPR, the regulation relaxes several requirements on controllers who use the technique.
GDPR Action Steps
If your firm falls under GDPR scope, there are two core areas you need to focus to be compliant—data classification, and cybersecurity program management. When you only focus on one area, such as data classification, and you lack in cybersecurity defenses, the data is still highly at-risk. This would be the same if you were to focus only on cybersecurity defenses and slack on data classification and inventory management. If you have a robust firewall, but you don’t manage role-based data access privileges, highly regulated EU personal data can fall into the wrong hands. To begin walking towards GDPR compliance, review the actions steps below.
1. Data Classification and Inventory Management
- Identify where client data is stored, collected, processed, and transmitted to apply the appropriate data protection safeguards.
- Update all identified data storage systems to adhere to “data protection by design and by default”—where data protection is an integral design choice vs. an add-on.
- Evaluate and record the specific purpose of data collections (business critical, non-critical data analysis, etc.).
- Execute a Data Classification system which properly manages the levels of your organization’s data inventory (e.g., Confidential, GDPR, Internal Use Only, etc.).
- Encrypt all personally identifiable information (PII) at-rest and in-transit.
- Survey all third-party partners, and vendors, to assess their management of EU data and score their GDPR compliance to address compliance gaps.
- Update your Incident Response, Privacy, and Data Breach Policy and Procedures to align with the GDPR requirements (e.g., 72-hour breach notification window).
- Record all personal data breaches, whether or not you are required to disclose.
- Provide straightforward GDPR compliance training to all employees, as well as advanced role-centric training for employees with elevated access privileges.
- Create a website banner which asks users for direct consent to data collection. Silent notices or pre-checked boxes are no longer considered consent. EU individuals must be provided the right to withdraw consent at ANY given time.
2. Cybersecurity Program Management
- Deploy state-of-the-art cybersecurity defense systems along your perimeter.
- Activate Intrusion Prevention Systems (IPS) to perform rapid Incident Detection and Response (and remember to test your Incident Response procedures regularly). Early Detection is vital to make an informed disclosure within 72 hours.
- Input a Data Loss Prevention (DLP) system to prevent EU data from leaking.
- Utilize a Governance, Risk, and Compliance (GRC) platform to automatically manage your risk management program compliance with standards and regulations.
- Perform a Cybersecurity Risk Assessment, cross-mapped to the GDPR requirements, to list compliance gaps, and their correlating mediation steps.
- Deploy a SIEM to actively monitor and manage all data points within the firm.
- Ensure you have the appropriate number of team members to actively manage all of the above systems, policies, processes, and procedures.
- It’s crucial for financial institutions to understand how they store, process, and transmit personal data—and how it affects the rights of individual users.
- And it’s essential to implement automated data classification operations to ensure compliance with the EU’s GDPR.
- In addition to data inventory management, financial firms must also demonstrate their processes and procedures to regularly test the effectiveness of their Cybersecurity and Data Privacy programs. It is critical to have state-of-the-art systems with “data protection by design and by default.”
GDPR is in effect as of May 25—are you ready? Contact us for help.
Disclaimer: This is not considered legal advice. It is important to consult your legal counsel for guidance as necessary.