Table of Contents Table of Contents
Previous Page  29 / 72 Next Page
Information
Show Menu
Previous Page 29 / 72 Next Page
Page Background

Global Trustee and Fiduciary Services News and Views

| Issue 47 | 2017

27

1

Regulation (EU) 2016/679 of the European Parliament and

of the Council of 27 April 2016 on the protection of natural

persons with regard to the processing of personal data and

on the free movement of such data, and repealing Directive

95/46/EC (General Data Protection Regulation).

2

See

http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/

?uri=CELEX:31995L0046&from=EN, last accessed on

24 October 2016.

3

Google Spain SL, Google Inc. v Agencia Española de

Protección de Datos (AEPD), Mario Costeja González,

Case C‑131/12, 13 May 2014.

4

Article 5(1)(a), GDPR.

5

See

https://ico.org.uk/for-organisations/guide-to-data-

protection/privacy-notices-transparency-and-control/,

last accessed on 1 December 2016.

6

http://ec.europa.eu/information_society/newsroom/image/

document/2016-51/wp243_en_40855.pdf, last downloaded

on 24 November 2016.

7

Article 5(1)(a), GDPR.

8

Article 6, GDPR.

9

Yahoo: from

https://yahoo.tumblr.com/post/150781911849/

an-important-message-about-yahoo-user-security, last

accessed on 24 November 2016. ICO: the significance of

this fine is that it is the largest fine ever issued by the ICO,

which has the ability to fine companies up to GBP500,000

for breach of the UK Data Protection Act. Reputational risk:

see

http://uk.reuters.com/article/us-verizon-yahoo-cyber-

idUKKCN12D2PW, last accessed on 24 November.

10

Case C-362/14 Maximillian Schrems v Data Protection

Commissioner.

11

See

https://www.privacyshield.gov/welcome.

12

“Yahoo Email Scanning Prompts European Ire” from http://

www.reuters.com/

, last accessed on 24 November 2016.

in a case likely to be referred to the CJEU,

and the European Commission has more

recently proposed amending Model Clauses

to allow DPAs to suspend businesses’ data

flows. This culminates from the CJEU’s ruling

in the Schrems case that the Commission had

exceeded its powers in restricting national

regulators’ authority. Despite these challenges,

for the time being Model Clauses still remain

the most certain way in which managers can

transfer personal data outside the EEA.

So now you know your ABCs...

Just as there are 22 other letters in the alphabet,

there are various other requirements and

restrictions in the GDPR that asset and fund

managers should be aware of. From 25 May 2018,

the risks of non-compliance with European data

protection laws will be significant, particularly as

non-compliant managers could find themselves

facing a fine up to the higher of 4% of annual

worldwide turnover and EUR20 million in respect

of some breaches of the GDPR (e.g. breach of

requirements relating to international transfers

or the basic principles for processing), and up to

the higher of 2% of annual worldwide turnover

and EUR10 million in respect of others.

The quantity of personal data processed by a

manager does not affect the extent to which

it must comply with the GDPR, but naturally

it — as well as the type of personal data and the

frequency, purpose and duration of processing

— will affect the organisation’s risk profile. As

technological advancements such as cloud

computing, big data analytics, automation

and blockchain technology incrementally

revolutionise the behaviour and offerings of the

financial services industry, and some managers

seek to capitalise on the wealth of personal

data within their groups (e.g. through vertical

integration of data), managing the risks of non-

compliance with European data protection laws

with the rewards of innovation and business

growth is becoming more challenging.

What about the other B word?

Prime Minister May has said that she intends

to trigger Article 50 by end of March 2017, so,

assuming this is the case, the UK looks set to

leave the EU by summer 2019. This could mean

that the GDPR is likely to be in force in the UK,

in its current form, for at least 12 months until

Brexit occurs. Even post-Brexit, there is unlikely

to be a significant relaxation of the level of data

protection managers are expected to provide

when processing personal data in the UK. As a

matter of policy, UK law would be likely to impose

a broadly equivalent level of data protection to

that agreed in the GDPR, not least because this is

almost certain to be necessary to be considered

an “adequate” jurisdiction to which personal data

can freely be transferred from the EEA.

As Aristotle said: knowing yourself is the

beginning of all wisdom

The GDPR forces organisations to be accountable

for their data-processing activities and adopt a

culture of data-protection compliance from the

grass roots — via privacy impact assessments and

implementing privacy by design — right through

to top-tier management — via DPOs and severe

sanctions for breach. As we edge ever closer to

the dawn of the GDPR, it would be prudent for

managers to conduct internal audits and draw

up plans to assess where they are on the road to

compliance and what they need to do to get there.

Karishma Brahmbhatt

Senior Associate

Allen & Overy LLP

1 24 25 26 27 28 29 30 31 32 33 34 35 72  FlippingBook