Data protection drive moves up a gear

There is one big challenge. Investment management is conducted across borders, with chains of intermediaries ensuring that the data of individuals are stored in numerous locations. Take the case of a Luxembourg management company with a distribution partner in Japan.

“Even distributors outside the EU may be covered by this regulation,” says Frederic Vonner, a partner at PwC Luxembourg told participants at a Euroclear roundtable event.

“There is a whole series of questions about how the Japanese distributor can comply with the regulation, if it is aware of the regulation at all.”

First things first. What is GDPR and why does it exist?

GDPR was adopted by the EU as far back as April 2016 and is enforceable from 25 May 2018. From May, firms must notify the authorities of any breaches of ‘high-risk’ data within 72 hours and the penalties for failure to do so will be severe.

Mohamed M’Rabti, Deputy Head of FundsPlace and Head of ETFs, Euroclear, observes, “There appear to be two main drivers behind GDPR. The first is transparency: the EU aims to give citizens greater control overhow their personal data is used. This will limit the swapping of personal data between companies, particularly in the social media space.”

The second driver is pro-business: the EU aims to provide a simpler legal environment in which to operate, making data protection rules identical across the EU single market.

“The consent issue worries investment firms,” says Vonner. “They have data in multiple places and they are all looking for legitimate purposes to process it. They need guidance.”

Questions revolve also around the format in which investment firms should inform investors on the use of their personal data. That might be via the prospectus, on the application form, or more directly by sending out letters explicitly for the purpose or setting up a website consent form.

Other concerns centre on matters such as how to handle data in the form of visitor logs, training notes, the collection of business cards and CVs. Emails are a topic all of their own: email chains are particularly problematic, with the personal information of dozens, sometimes hundreds of people in your own firm and within others made visible.

To handle this necessitates an email management policy, but few investment firms have worked out how this policy might operate in practice.

If data cannot be fully protected this could be damaging to the firm in question. Data should be secured as carefully as possible to avoid causing harm or risk to an individual.

No analysis of the impact of GDPR can ignore the key terms the Directive introduces: controllers and processors. Into which category you fall will define your obligations under GDPR.

In essence, the controller has the responsibility over the individuals’ data and gives instructions to the processor on how to use that data.

So the division of duties seems clear. Until you consider that GDPR holds controllers responsible for the proper or improper handling of personal information, even if they outsource the processing of the data.

In a further twist, if the processor exceeds the bounds of its instructions from the controller, it becomes the controller and assumes the key responsibilities.

Let’s map that slightly complex situation to the investment management industry. First funds. The issue is fairly clear-cut, with the personal data of investors remaining the responsibility of the fund entity. The fund is the controller.

If a company outsources the computation of salaries, the company is the data controller and the outsourcing company is the processor for such purpose only.

So far, so good. But what about Mancos? They might argue they have no role given their distance from the day-to-day operations of the funds.“The issue for them arises if something goes wrong with the investors’ data,” said Vonner.

With this in mind they should probably be considered co-controllers - jointly responsible for controlling data alongside the fund entities.

Next up, transfer agents. “Transfer agents must wear the two hats of a processor and a controller,” says Vonner. They perform processing for funds, but they are controllers in that they must do know-your-customer checks for their own business and manage their employee data.

They should keep a register of all their data processing to see if they stray into the area of controller for the funds they service.

They are also responsible for the processing chain and, in particular, making sure that sub-processors comply with the data protection rules.

“The investment industry is floating on a lake of data. The question is, on a practical level, how it can avoid drowning. That is, how firms can set out to comply with the rules,” comments M’Rabti.

There are four building blocks of compliance, argues Vonner.

1. Understand all the processes in your organisation and make sure contracts are up to date in terms of personal data processing.
2. Handle the data of others as if it were your own. Introduce procedures for collecting, using and deleting data, transferring it to other companies, and for handling questions and complaints about the use of data. 
3. Update IT systems so they can enforce data security and establish data mapping and labelling in line with the risks to the data subjects. This is about how to control its propagation across systems and only collecting what is needed for specific, legitimate purposes. When developing new applications, input only relevant data. 
4. Implement solid governance procedures. Investment firms may need to appoint a data protection officer (DPO). Those that do need to decide where the DPO stands within the organisation to ensure the procedures are efficient and effectively applied.

It may also be possible to mitigate compliance risks through GDPR-related insurance, but at this stage it is not clear if such products are regulatory-proofed.