GDPR: Time to Act
The General Data Protection Regulation will come into play in May 2018, and should be on the radar of every company that processes data related to living EU residents. Non-compliance will lead to significant penalties, including a fine of up to 20,000,000 EUR or up to 4% annual turnover. Considering one in four businesses are unaware of GDPR, the sanctions pose a real threat.
It is already clear that there will be significant work involved in meeting the regulatory demands. This requires a collaborative effort from the organisation’s legal, compliance, human resources, Information Technology, and any business units that interact with subject data.
Typically, investment managers will need a readiness assessment to identify their capabilities to comply with the new regulation and then follow that up by identifying and documenting the legal basis for collecting data, how it is processed, used, and protected. The scale of the effort required is such that many smaller organisations are considering the use of a third party as they lack the internal expertise and tools to identify the gaps that must be addressed.
Organisations must also understand how third parties that are controlling or processing data on their behalf are addressing their GDPR compliance. This includes reviewing the third parties’ information and cyber security policies and procedures, security attestation reports, and on-site visits to their data centres. This is an ongoing process and frequency should be determined with a risk-based approach, and in some cases continuous monitor should be considered.
Third party and vendor contracts must also be reviewed for specific data handling terms and requirements. New contracts will have these provisions, but the bigger challenge will be revisiting existing agreements that need revisions to add the additional terms and conditions.
The headlines on GDPR have also drawn attention to the data breach notification, the right to be forgotten, and the need to appoint a Data Protection Officer. In the event of a suspected data breach GDPR requires organisations to identify categories of data and number of data subjects affected, and document measures taken to mitigate the breach. Notifying the supervisory authority of a subject data breach is required within 72 hours upon discovering it. Even if the exposure is not serious, the company must keep records internally.
Accidental or unlawful destruction, unauthorized disclosure, alteration, loss, or access to subject data is considered a data breach. Therefore, organisations must have clearly defined Incident Response Plans and Procedure to identify, categorise, and report data breach incidents. Data mapping exercises should also be conducted to identify where subject data is stored, where it travels, who has access to it, and how it’s protected. Incident response plans should be routinely tested against relevant threat scenarios.
The right to be forgotten, reinforced in Principle 5 of the current Data Protection Act, has sparked further confusion. ‘The right to be forgotten and to erasure’ is not always a legitimate request and does not stand as an unconditional right. Although firms should have procedures in place to comply with any request, there may be instances where the request itself does not meet the European Court of Justice’s criteria and can be avoided.
The requirement to appoint a Data Protection Officer applies only to firms who operate in the public sector or employ 250 staff. However, the regulation does recommend a qualified individual to be appointed with responsibility for data protection at all times. So for most firms, this will be the action needed.
The GDPR deadline is just over six months away, and investment managers need to extensively review their current data protection policy and procedures against the requirements of the regulation. This is going to take considerable cross-company collaboration and there is significant ground to cover. The time for preparation is now so any gaps must be identified sooner rather than later, and paired with a suitable action plan to meet the obligations of GDPR.
Struggling to implement the directives under GDPR? Cordium offers services ranging from a full review of policies and procedures, workflow mapping, vendor risk management to our Infrastructure Collateral Service.