Why 2017 must be the year of compliance. Part 1: GDPR
By George Ralph, RFA - It’s August already, and 2017 is over half gone. There are two major pieces of legislation coming into effect in early 2018, which will affect alternative investment firms in the UK, and firms worldwide who are holding data on European citizens, or trading with firms in the EU.
The EU General Data Protection Regulation (GDPR) represents the most significant change in global privacy law in 20 years. GDPR places important new obligations on any business that handles the data of individuals living in the EU, independent of where the business is located. The second regulation, absolutely critical for financial services firms, is MiFID II. MiFID II adds an extraordinary reporting and data collection burden onto buy and sell side firms, and will require a thorough overhaul of systems, policies and procedures in order to comply.
If you’re not already doing so, here’s how I believe you should be approaching the first of these two major pieces of legislation: GDPR.
1) Knowledge is power. Evaluate your existing data – understand where it is, why you have it, how old it is, who it belongs to and if the subject has given consent for you to hold that information.
2) Plan to carry out a Data Privacy Impact Assessment before processing any new personally identifiable information.
3) Map your data against GDPR regulations, specifically; categorizing data so that it can be safely deleted at the end of the timespan, if the data is no longer needed for the original purpose, or if the subject requests it.
4) Ensure the data is stored according to GDPR regulation. Data should be secure. Tokenizing or encrypting data will keep it secure and authentic. Data should be portable. Use non-proprietary systems with open standards where possible, and ensure that all data and associated files can be transferred to another system when needed.
5) Understand the risk of non-compliance. Fines of up to £17m or 4% of annual turnover can be levied.
6) Consider trans-Atlantic data transfers and client handling activity, and ensure GDPR activities also meet US regulations like Privacy Shield.
7) Update internal policies and processes. Review and update privacy notices and create a GDPR compliant process for data access requests. Plan how requests to move or transfer data will be addressed.
8) Ensure widespread buy-in. Gather key company stakeholders and get them to read, input into and agree your GDPR action plan. Involve representatives from each department, front office, HR, PR, the board of directors, legal and compliance.
If you are still in doubt about what to do and when you need to do it. The answer is to call a knowledgeable partner, now!