Caught in the EU FINREG WAKE

9 8 Citi Custody & Fund Services – Caught in the EU FinReg Wake KEY ELEMENTS GDPR has a wide scope, and applies not only to the handling of personal data by groups established in the EU, but also to groups outside the EU that handle the personal data of any EU-domiciled resident. Given the wide scope, GDPR has a global reach that potentially impacts non-EU firms even if they do not have a presence in EU. Data Protection Officer A key requirement is the mandatory appointment of a Data Protection Officer (DPO), for many organizations. The DPO is the data protection expert within an organization responsible for overseeing the processing of both third-party and internal personal data. The DPO is required to help data ‘controllers’ and ‘processors’ comply with data protection law, and avoid the risks organizations face when processing personal data. Additionally, the DPO acts as the point person for data protection queries. Data Portability, Subject Access Requests, and Erasure Rights of data subjects have also been enhanced, including an explicit right of data portability, Subject Access Requests (SARs), and erasure: • Data portability allows individuals to obtain and re-use their personal data for their own purposes across different services. The consent of data subjects, obtained by a statement or clear affirmative action, must also be “unambiguous.” • SARs allow individuals to request, in writing, confirmation on whether personal information is being processed by an organization. Organizations must respond to a SAR within one month of receipt. • Erasure (otherwise known as the ‘right to be forgotten’) lets individuals request the deletion or removal of personal data where there is no compelling reason for its continued processing. After more than five years of negotiation, the EU’s General Data Protection Regulation (GDPR) finally becomes effective on 25 May 2018. GDPR sets a new global benchmark for the protection of personal data. It is intended to harmonize the inconsistent data protection laws across the EU and give EU citizens greater control over their data. Overall, the compliance burden and penalties for firms under GDPR will increase dramatically. The EU’s forthcoming data privacy rules set a new bar for global AMANDA HALE Global Head of Regulatory Services, Trustee & Fiduciary Services GDPR: Navigating the EU’s Data Protection Rules data protection regulations.