Table of Contents Table of Contents
Previous Page  27 / 72 Next Page
Information
Show Menu
Previous Page 27 / 72 Next Page
Page Background

Global Trustee and Fiduciary Services News and Views

| Issue 47 | 2017

25

2) Compliance with a legal obligation to which

the manager is subject (e.g. anti-money-

laundering rules).

3) Or the legitimate interests pursued by the

manager or a third party (save where those

interests are overridden by the interests

and fundamental rights and freedoms of

individuals).

Managers should therefore assess what data

processing activities they undertake, and which

of the lawful grounds for processing set out in

the GDPR applies to each of those processing

activities. Note also that this information needs

to be provided to individuals via fair processing.

C: Cyber (and other security conundrums)

You only need to look at the news headlines

of the past 12 months to know that security

risks are among the most prominent threats to

businesses today. Asset and fund managers are

no exception to this, particularly given the type

and the wealth of information that they process.

In addition to the requirements of the FCA

Handbook, managers must ensure that

they implement appropriate technical and

organisational measures to ensure a level of

security appropriate to the risk to, and to ensure

integrity and confidentiality of, personal data.

Appropriate measures include:

• Encrypting personal data (both while it is

stationary and in transit).

• Regularly testing and evaluating the

effectiveness of the technical and the

organisational measures.

• And taking steps to ensure that the personal

data is only processed in accordance with

the manager’s instructions — practically,

these could involve supplementing IT-based

measures with appropriate internal policies to

ensure that employees are fully aware of how

they should treat personal data, escalation

points and training.

While these types of preventative measures

are clearly crucial to reducing the risk of a data

security breach, it is equally important to have

a robust remediation procedure in place. As

mentioned above, security breaches must be

notified to the DPA without undue delay and,

The GDPR requires data controllers to

implement appropriate measures. . .

By default, only personal data that is

necessary for each specific purpose of

processing are processed.

1 22 23 24 25 26 27 28 29 30 31 32 33 72  FlippingBook