Citi 2018 FinReg Outlook

Data subject Personal data Data controller Data processor An identified or identifiable natural person. Any information relating to a data subject, who can be directly or indirectly identified. Any person or entity that determines the purposes and means of the processing of personal data. Any person or entity that processes personal data on behalf of the data controllers. KEY CONCEPTS relationships involving personal data processing. As a result, enhanced due diligence over processors will be a key part of GDPR planning. Underpinning GDPR is the potential for some eye-watering fines, up to the greater of €20 million or 4% of global turnover. In addition, a mandatory breach notification requirement means firms must notify data protection authorities within 72 hours of a data breach. Individuals must be notified without delay if the breach is likely to pose a high risk to them. WHAT MIGHT THIS MEAN FOR THIRD COUNTRIES? To ensure the level of protection afforded by the GDPR is not undermined, there are restrictions on the transfer of personal data outside the European Union to third countries or international organizations. Transfers may be made where the European Commission has decided a third country, territory, one or more specific sectors in the third country, or an international organization have ensured an adequate level of protection. So far decisions have been reached in relation to Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, and Uruguay. The issue of third-country equivalence is particularly relevant for the UK, since following Brexit it may end up as a third country. This would mean the UK’s Data Protection Rules would need to be considered adequate by the Commission. FIRMS’ TO DO LIST The GDPR implementation deadline has been on asset managers’ watch lists for some time. To ensure firms are prepared in advance of the deadline, a mix of both organizational and technological measures must be taken. Organizational measures include appointing a DPO, and determining who is a data controller versus a data processor. Whenever a controller uses a processor, it needs to have a written contract in place. Other areas of consideration include implementing policies and training on handling personal and sensitive personal data, processing SARs, and an approach for executing a Data Protection Impact Assessment (DPIA). Data controllers must carry out a DPIA, which should include the measures, safeguards, and mechanisms envisaged for mitigating the identified risks. Technological measures include data classification, data loss prevention, encryption, managing consent more explicitly, data transfer limitations, and technologies that enable data subjects to exercise their rights to access, rectify, and erase personal data held by data controllers. The clock is ticking on GDPR. Given the substantial financial implications for non-compliance, firms must ensure they finalize their data-related processes and procedures in advance of 25 May. Citi Custody & Fund Services – FinReg Outlook 2018 9 8