How GDPR affects the asset management industry
Jean-Francois de Clermont-Tonnerre discusses the need for successful businesses to adopt a flexible approach to GDPR for asset managers to evolve with the times.
The European Union’s (EU) General Data Protection Regulation became effective on 25 May 2018. They brought with it significant changes from previous data protection laws. As the toughest privacy law in the world, GDPR provides individuals in the EU with control over how their data can be used. As a result, it has a significant impact on the daily lives and operations of asset management companies.
The very nature of the asset management industry with its access to personal data and information on an individual’s net worth should mean that there were, even before GDPR, robust data protection protocols in place. However, the effect of working towards GDPR compliance has required most firms to carry out reviews and identify solutions to weaknesses within their data privacy framework.
Jean-Francois de Clermont-Tonnerre of AUM Asset Management discusses the need for successful businesses to adopt ‘a flexibility that enables us to move with the fast-evolving environments of both changing regulations and clients’ needs.’
With the emphasis on GDPR being not just a compliance exercise, this article digs deeper into examining the responsibilities and solutions for both asset management companies and their member firms.
Before we get into the detail, there are some key terms which organisations need to become familiar with when implementing the requirements of the regulations.
The rights of data subjects are protected under the GDPR. From the perspective of asset managers, data subjects are likely to be investors whose funds are overseen by the asset management company. Employees based in the EU will also be data subjects. So, while many companies have been attracted to Ireland due to favourable tax benefits, GDPR adds another layer of complexity to this location.
When considering the concept of personal data, GDPR provides examples which include:
This means that each of the documents routinely completed by asset or fund managers when getting to know their customers, need to be GDPR compliant.
Data controllers are individuals who determine how personal data collection is conducted and the associated data processing activities. They define what data will be captured, from whom and the reason why it’s needed. This means establishing a data privacy approach through the application of an intelligent data privacy framework.
Additional responsibilities include responsibility for incidents such as data breaches requiring its communication to the affected individuals and regulatory bodies such as the Information Commissioner’s Office in the United Kingdom (UK).
Data processors may be in-house, or agencies hired to manage the processing of personal data. They also oversee IT systems which store the information as well as being responsible for security measures, data transfers and deletion.
It’s essential to recognise that the processor works entirely under the instruction of the Data Controller, and so makes no decisions on actions which impact the use or control of each data set.
There are two scenarios where a DPO needs to be appointed. Firstly, where there is a daily requirement to monitor and process substantial volumes of consumer data and secondly in specialised data industries such as those processing information relating to criminal convictions.
However, even if the processing doesn’t fit into these categories, it’s suggested that a Data Protection Officer is appointed to ensure GDPR compliance.
GDPR’s regulatory bodies across the EU place a strong emphasis on genuine compliance attempts. This means procedures, paper trails and compliance assessments are essential evidence should an organisation within the asset management industry find themselves subject to a complaint, data breach or inspection.
All staff, including asset managers, wealth managers and administrative staff, need to understand data protection protocols and their responsibilities to ensure the business is GDPR compliant.
Areas to review include:
Client consent obtained before the implementation date is still valid as long as they meet the requirements of the regulation. This means that all historical documents should be reviewed and where appropriate, reissued.
Clients who are EU citizens or are living within the European Union have the right to review the data that is held on them. Many software packages used pre-GDPR can make this a challenging task. Remember that requests must be met within strict timescales, so a quick response to a request is essential.
Clients also have the right to ‘data portability’. This means they may request their personal data in a format which can be used by other companies, thus preventing ‘vendor lock-in’ situations.
All companies within the asset management industry should already have regular testing of their systems to minimise the potential for a security breach. GDPR requires evidence of robust procedures for network security checks along with protocols for the testing of hardware and data encryption.
Data authorities are looking to ensure that GDPR is not seen as just a compliance exercise; it’s also a consistent approach to every interaction with personal information.
A business may assume that they are exempt from GDPR if they have no European clients. However, if the company website can receive European visitors, then there will be GDPR responsibilities. That’s because if a site makes use any form of analytics, cookies or email marketing, then personal data is collected.
With explicit consent being required from EU residents, the following areas need to be addressed:
Users must be aware of the collection of their data when using contact forms. In most asset management companies, this means that the information will be processed and stored before use. Creating a tick box to signify acceptance is one way of obtaining consent. However, T&C’s should be easy to locate and provide clear information on the processing of personal data.
It’s essential to notify users that your website collects cookies. This usually means creating an overlay which appears as soon as someone enters the site and requires an ‘opt-in’ response to accept the cookies. GDPR requires the following information to be provided:
This then clarifies the fact that an individual who is visiting the site following an internet search, also has the right not to be subject to cookies, even if they have no intent on providing further personal data.
It should be as easy for the individual to withdraw permission as it is to give consent. Once this is withdrawn, then the business may no longer process the information, and it must be deleted.
The requirements of the regulations that asset managers are required to meet will depend on whether they are classified as data controllers or processors. Assessment will need to be carried out on an individual basis, but if an asset manager holds the personal information of an individual under the jurisdiction of the GDPR, and decides the purpose and means for processing activities, then it’s likely that they will be considered to be a controller. This means they need the knowledge and understanding required to implement a data privacy approach to the management of personal data.
Asset managers who are also controllers are required to ensure that they only hold the data necessary to perform applicable services and to delete it when it’s no longer required by applicable law or regulation.
The very nature of both asset management and wealth management, requires trust and confidence from investors in the way organisations carry out their data processing activities. And that also includes the reputations of member firms. So, data breaches, action by a data protection authority and resultant fines are likely to have a considerable impact on the wider organisations reputation.
However, it’s not only about reputation; the financial impact of these situations can be significant, even for the largest organisations with financial penalties being designed to make the impact of GDPR non-compliance a costly mistake. Less severe infringements result in fines of up to €10 million or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever is higher.
For more severe infringements then the fine is up to €20 million or 4% of the worldwide revenue from the preceding year. A search on Google quickly identifies a number of high-profile firms, in the UK, US and across the world who have been issued fines over €10 million. It’s clear to see that the data protection authorities are not afraid to use their powers to gain solutions where firms have experienced security breaches.
In addition to these fines, Article 82 of the regulation gives each affected person the right to seek compensation when there has been compliance failure, whether that’s a data breach or an inability to opt-out of cookies.
It’s important for both asset managers and wealth managers to be aware that it’s not only organisations which are liable for financial penalties; individuals can also be fined should they search or use personal data in ways for which there is no consent.