Non-EU firms and GDPR: Time to face up to compliance
The deadline for meeting the General Data Protection Regulation (GDPR) is on its way. But many non-EU investment management firms may not realize the extent to which they will be affected by this extensive new regulation quickly enough to meet the 25 May implementation date.
All firms will need to comply with the new EU rules – no matter where they are located – if they hold the personal data of EU citizens. This kind of data could be anything that can lead to the identification of an individual, from personal details to financial data.
The penalties for failure to comply with GDPR are baked right into the legislation, and they are stiff. Fines levied are at the discretion of the national regulator, and they will depend on the type of offense committed. However, the penalties can be as high as €20 million, or 4% of a company’s annual global turnover. It may seem like financial firms with operations within the EU are more likely to face regulatory sanction, but under GDPR, if a firm does not have EU operations, it still needs to have a representative within the jurisdiction.
The reputational risk associated with failure in compliance with GDPR could be particularly tricky – failure to comply could be perceived by clients as a lack of care towards their personal data. Worse, a data breach that exposes governance and transparency shortcomings could be terminal for a firm’s reputation within its investor base.
How much work is required for GDPR compliance depends on the current state of a firm’s information security and data protection program. Although many of the new requirements are best practices that should already be in place, most firms will need to do at least some work to meet the requirements.
The good news for non-EU companies is that if they already comply with some existing standards in this area, they may have less work to do. For example, there is some overlap with the ISO 27001 or the National Institute of Standards and Technology (NIST) framework. Another rule that could provide immediate, partial GDPR compliance – particularly around the transfer of data across borders – is the Privacy Shield framework created jointly by the US, EU and Swiss governments. On the other hand, GDPR is much broader in scope than US consumer protection requirements, for example.
A clear first step for a non-EU firm is to figure out where they are regarding GDPR compliance at this moment. Firms should undertake a data due diligence review or audit. This will help the firm gain an understanding of how its data is being processed in comparison with the requirements of GDPR’s Article 30. In undertaking this, the firm should use a risk-based approach, by starting with the areas of the firm that hold the highest concentration of personal data – these areas will have the highest risk exposure.
For many investment management firms, the place to start is usually investor relations. For other types of financial services organizations, it may be sales, marketing, or customer relations. While most investment managers do not engage in the kind of abusive data practices that some retail operations may use, there are still a number of rules to follow. For example, firms will need to clearly outline to anyone it markets to – clients and prospects – what data the firm is seeking and what the business goal is for acquiring it.
This doesn’t just apply to email – it applies to any information held electronically. So, for example, salespeople may keep personal details about a client in the customer database they use, such as the client’s birthday, the names of their children, or favourite restaurant for lunch. Under the GDPR regime, it may be difficult to justify the business case for holding on to this data. Each individual firm will have to make a decision on this and then create the policies, procedures, training, and testing to enforce the decision.
The second priority is often human resources. If there are employees in the EU, and the firm is based in a non-EU country, its HR systems and processes will need to comply.
Then firms should look at their investment business itself – for example, deal information can be filled with personal information. If employees are working with portfolio companies, they will be receiving information on their corporate advisors, as well as background checks on individuals. Quite a lot of sensitive personal information can be held in this area.
Firms should also ascertain whether they are exchanging personal data with any third parties or vendors. If the firm is outsourcing a business process to a third party located within the EU, and that third party is using the firm’s personal data, there is a compliance requirement to be met. The firm will have to work with the third party to ensure compliance with all rules.
The GDPR’s Article 30 demands a holistic view of a firms’ stored personal data. The provision demands clarity on how the firm is identifying personal data, how it is collecting the data, and the lawfulness and transparency around its processes. Article 30 also looks at storage, tractability, security and protection, access and usage, sharing and transfers, retention and deletion.
As part of this process, non-EU firms should then identify the compliance policies and procedures they already have in place around the security and protection of personal data – this aligns with Articles 25 and 32, which specifically addresses these topics. If it seems that a data type is already compliant with GDPR, do not just leave it there – make sure you test for compliance and document that testing. Regulators will be looking to see what happens in reality.
Chances are, however, that if an investment management company has funds in the EU or markets to EU-based clients, it will have to comply with GDPR and there will be gaps in the firm’s existing data protection infrastructure.
It’s important when conducting a data due diligence exercise to create a responsibility matrix. The regulators want to be sure there is an understanding of all data relationships – who is the controller, who is the processor, and who is the sub-processor? With third parties and vendors, firms must identify the data that is exchanged, and what the relationship is between the firm and the third party or vendor – who is the controller, processor, and sub-processor, or are there joint roles?
The stakeholders named to these roles will need to understand why a data due diligence exercise is being performed, and what their responsibilities are under GDPR for compliance. By working together, it will be easier to understand data processes and ultimately, to implement compliant procedures.