Markets and Securities Services |

Europe

24

manner”.

7

To satisfy this requirement, at least

one of the grounds for processing set out in the

GDPR must be satisfied.

8

Organisations typically assume that they need

to obtain individuals’ consent to process their

personal data. The GDPR raises the threshold

for valid consent and places the onus on the

data controller to show that consent is freely

given, specific and informed. This, coupled with

the fact that consent can be withdrawn at any

time, makes consent an uncertain premise to

rely on to legitimise the processing activities.

Helpfully, consent is just one of a number of

different ways of legitimising a manager’s

processing activities, and may not be required

or appropriate where, for example, a manager

can show that the processing is necessary for:

1) The performance of a contract to which the

individual is a party (e.g. where the manager

has entered into an investment management

agreement with an individual, or an individual

applies directly to a fund manager to

subscribe for one of its retail funds).

it to assess the impact of its data processing

activities on the protection of personal data.

This assessment should be undertaken before

the processing is undertaken, and requires, e.g.

a systemic description of the contemplated

processing activities, and assessing the purpose

of processing, legitimate interests pursued

by the controller (if applicable), necessity and

proportionality of the processing activities,

the risks posed to the rights and freedoms of

individuals, and the measures to be taken to

mitigate the risks of processing.

This information would be expected to inform

the performance of various obligations under the

GDPR, including the content of fair processing

information and any data breach notifications

issued to regulators and affected individuals.

Privacy by design

The GDPR requires data controllers to implement

appropriate measures (e.g. pseudonymisation)

and to ensure that, by default, only personal data

that is necessary for each specific purpose of

processing are processed.

Data protection officer

If the core activities of a data controller or

processor consist of processing that, by its

nature, scope or purposes, requires regular and

systematic monitoring of data subjects on a

large scale, or they consist of processing on a

large scale of special categories of data, then

the data controller/processor must designate

a Data Protection Officer (DPO) as part of its

accountability programme. The DPO must, among

other things, monitor compliance with the GDPR.

Given the type of processing typically undertaken

by managers, this requirement for a DPO may

not apply. The guidance issued by the Article 29

Working Party on 16 December 2016 will help to

determine whether this is the case,

6

although the

Article 29 Working Party has invited stakeholders

to comments on this guidance until end of

January 2017, so there is a chance that this

guidance may change. In any event, note that this

point should be assessed on a case-by-case basis

and, even if a manager concludes that it does not

need a DPO under the GDPR, it may be prudent

to have a person holding such position to oversee

general compliance with the GDPR.

B: Basis (for processing)

In addition to requiring fair processing, the

GDPR also requires that personal data must be

“processed lawfully, fairly and in a transparent