Caught in the EU FINREG WAKE

Citi Custody & Fund Services – Caught in the EU FinReg Wake 11 10 Increased Accountability In other areas, data processors will have increased responsibilities and liability. This has a significant impact on all vendor relationships involving personal data processing. As a result, enhanced due diligence over processors will be a key part of GDPR planning. In the event of a data breach, firms must notify data protection authorities within 72 hours and individuals without delay, if the breach is likely to pose a high risk to them. Underpinning GDPR is the potential for some eye-watering fines, up to €20 million or 4% of global turnover, whichever is greater. IMPACT ON THIRD COUNTRIES To ensure the level of protection afforded by GDPR is not undermined, there are restrictions on the transfer of personal data outside the EU to third countries or international organizations. Transfers may be made where the European Commission has decided a third country, territory, one or more specific sectors in the third country, or an international organization ensure an adequate level of protection. So far decisions have been reached in relation to Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, and Uruguay. It remains to be seen if the Commission will grant the US full equivalence. The Commission has limited its equivalence decision to the EU-US Privacy Shield framework. However, the Privacy Shield faces legal challenges in the EU and has been referred to the Court of European Justice (ECJ). If the ECJ deems that the Privacy Shield is incompatible with EU law, then all private data transfers between the EU and US would have to stop. Longer term, the issue of third-country equivalence is also relevant for the UK, since following Brexit it may end up as a third country. This would mean the UK’s Data Protection Rules would need to be considered adequate by the European Commission. FIRMS’ TO DO LIST To ensure firms are prepared for GDPR, a mix of both organizational and technological measures must be taken. Organizational measures include appointing a DPO, and determining who is a data controller versus a data processor. Whenever a controller uses a processor, it needs to have a written contract in place. Other areas of consideration include implementing policies and training on handling personal and sensitive personal data, processing SARs, and an approach for executing a Data Protection Impact Assessment (DPIA). Data controllers must carry out a DPIA, which should include the measures, safeguards, and mechanisms envisaged for mitigating the identified risks. Technological measures include data classification, data loss prevention, encryption, managing consent more explicitly, data transfer limitations, and technologies that enable data subjects to exercise their rights to access, rectify, and erase personal data held by data controllers. A BEGINNING, NOT AN END While 25 May heralds a new era in data privacy, it will take weeks and months to truly appreciate the impact of GDPR. Compliance with GDPR is an ongoing responsibility that, similar to monitoring of outsourcing arrangements and anti-money laundering processes, will become core to asset managers’ oversight responsibilities. Firms will have to be ever mindful of what personal data they store and ensure that only mission critical data is retained. Compliance with GDPR will also be an evolving process as regulators offer guidance on best practice. So, rather than representing the end of GDPR journey, 25 May is really only the beginning. KEY CONCEPTS Personal data: Any information relating to a data subject, who can be directly or indirectly identified. Data controller: Any person or entity that determines the purposes and means of the processsing of personal data. Data processor: Any person or entity that processes personal data on behalf of the data controllers. Data subject: An identified or identifiable natural person.