Citi 2018 FinReg Outlook

EMEA GDPR: EU Sets the Standard in Data Privacy The EU’s forthcoming data privacy rules set a new bar for global data protection regulations. After more than five years of negotiation, the EU’s General Data Protection Regulation (GDPR) finally becomes effective on 25 May 2018. The GDPR sets a new global benchmark for the protection of personal data. It is intended to harmonize the inconsistent data protection laws across the EU and give EU citizens greater control over their data. Overall, the compliance burden and penalties for firms under the GDPR will increase dramatically. AMANDA HALE Global Head of Regulatory Services, Trustee & Fiduciary Services KEY ELEMENTS GDPR has a wide scope. It applies to the handling of personal data by groups established in the EU. It also extends to groups outside the EU that handle the personal data of any EU-domiciled citizen. Data Protection Officer Under GDPR, a key requirement is the mandatory appointment of a Data Protection Officer (DPO). The DPO is the data protection expert within an organization responsible for overseeing the processing of both third-party and internal personal data. The DPO is required to help data ‘controllers’ and ‘processors’ comply with data protection law, and avoid the risks organizations face when processing personal data. Additionally, the DPO acts as the point person for data protection queries. Data Portability, Subject Access Requests, and Erasure Rights of data subjects have also been enhanced, including an explicit right of data portability, subject access requests (SARs), and erasure: • Data portability allows individuals to obtain and re-use their personal data for their own purposes across different services. The consent of data subjects, obtained by a statement or clear affirmative action, must also be unambiguous. • SARs allow individuals to request, in writing, confirmation on whether personal information is being processed by an organization. Organizations must respond to an SAR within one month of receipt. • Erasure (otherwise known as the ‘right to be forgotten’) lets individuals request the deletion or removal of personal data where there is no compelling reason for its continued processing. Increased Accountability In other areas, data processors will have increased responsibilities and liability. This has a significant impact on all vendor 7 6 Citi Custody & Fund Services – FinReg Outlook 2018