Global Trustee and Fiduciary Services News and Views

Markets and Securities Services |

Europe

One of the most notable trending acronyms over

the past six months at least — although probably

not among the largest of Snapchat demographics

— is the GDPR. After years of negotiation, and

hundreds of pages of commentary, the General

Data Protection Regulation (GDPR) was finally

passed in May last year, setting not chat rooms but

boardrooms across the globe aflutter in anticipation

of its coming into force on 25 May 2018.

Why has it caused such a reaction?

The GDPR was designed to build on the foundations

of the current data protection framework laid down

by Directive 95/46/EC (Directive), to:

• Harmonise the data protection regime

across the EU.

• Increase the rights of individuals and the

accountability of organisations processing

personal data.

• And empower data protection authorities

(DPAs) to impose sanctions (for breach of the

GDPR) of such significance and magnitude

that they could be more aligned to the

sanctions regimes under competition laws.

The ripples of anxiety have somewhat calmed

since May (only to be aroused once more by the

Brexit vote by the UK in June — but more on that

later). As with most acronyms, there is more to

the GDPR than meets the eye, and those four

letters veil the depth of measures that companies

need to implement to be compliant with the

new legislation. This is where, in providing an

introduction to some of the basic principles

underpinning the GDPR, our ABCs can be of help.

First things first: why care?

Data forms the lifeblood of asset and fund

management, influencing which investments are

made, in what assets, when, for how long, and for

whom. As the illustration opposite shows, the types of

data held by managers is rather diverse, comprising

statistical, financial and business data, as well as —

crucially for our purposes — data relating to identified

or identifiable individuals (i.e. personal data).

The European data protection regime is not

concerned with the amount of personal data that

organisations process. The fact that an organisation

is processing personal data is sufficient for the law

to apply. In this regard, the GDPR introduces two

notable changes to the current regime:

As a general rule, if you process personal data, you

will be caught by European data protection laws

The current Directive applies directly only to

persons that determine the purpose and means

of data processing — i.e. data controllers. Data

controllers must flow down certain of their data

protection obligations to data processors (i.e.

the persons who process personal data on their

behalf) via contract. The GDPR, however, will

apply directly to both data controllers and data

processors, albeit to varying extents. In practice,

this means that managers are likely to see a shift

in the way that data protection provisions are

negotiated with, for example, transfer agents and

other service providers who will, from 25 May

2018, find themselves directly accountable to

DPAs for their processing of personal data.

The long arm of the law is officially about

to get a little longer

The GDPR expands the territorial reach of

European data protection laws such that, in a

move echoing the court’s stance in the Google

Spain case, European data protection legislation

will apply to the processing of personal data:

THE ABCs OF THE GDPR: GETTING

TO GRIPS WITH THE LATEST

ACRONYM YOU NEED TO KNOW

Acronyms — they’re everywhere. They’ve been gradually and innocuously

infusing your daily vernacular and, before you know it, you LOL IRL at your BFFL’s

social media witticisms — KWIM? If that sentence has you reaching for Google

or your nearest teenager for a translation, fear not: the apparent linguistic gulf

between you and today’s hottest acronyms may not be so wide as you think. . .