The EU’s sweeping new set of data protection rules will require big changes from wealth managers – and those in other sectors. This article gets into some of the pertinent details.
Just when wealth management industry folk thought it might have been a bit quieter once the MiFID II process started in January next year, they were rapidly disabused of that notion. In May next year a sweeping new set of rules governing data protection, affecting all sectors, takes effect across the EU. Known as GDPR for short, this legislation promises to be as potentially heavy on budgets as MiFID II.
The EU General Data Protection Regulation, which comes into force on 25 May 2018, is set to be a disruptive force, fundamentally altering how businesses manage personal data. Any firm which deals with customer data will be directly affected by this regulation. Despite the huge implications regarding how client data is handled, many fund and wealth managers remain unaware of the huge impact that GDPR will have on their day to day business. These firms now find themselves in a race against the clock to ensure that they are compliant ahead of the May deadline or risk facing potentially catastrophic fines, including up to 4 per cent of their annual global turnover or €20 million ($23.5 million), whichever is higher.
Many financial services firms are currently focusing their resources on compliance with the Markets in Financial Instruments Directive II (MiFID II), which comes into force on 3 January 2018. Some fund and wealth managers, particularly boutique firms, may have delayed this process due to the substantial costs and resources involved in a comprehensive implementation plan, but taking the necessary steps now will help ensure a smooth transition when the regulation comes into force next May and will avoid extensive long-term costs generated by inefficient procedures or regulatory penalties.
GDPR’s reach extends much further than current data protection laws and introduces sweeping changes, including the introduction of the accountability principle and new requirements for consent. The regulation grants new rights to individuals regarding the use of their data and carries huge penalties for the businesses who do not comply. In the words of the EU legislators, the GDPR is designed to “harmonise data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organisations across the region approach data privacy”.
A worrying number of firms currently hold the belief that GDPR will not apply to UK businesses following Brexit. In fact, the UK Government has already confirmed that the GDPR will be fully enshrined in full into UK law and will apply even after the UK has left the EU. The reach of the GDPR is not limited to the EU – any organisation that handles the data of EU residents will also be required to comply with the new laws.
Fund and wealth managers who collect data on their clients in order to tailor their advice and recommendations to their lifestyles and circumstances will be classed as ‘controllers’ under the new regulation. This term refers to any person, authority or organisation that collects data from individuals. Any third party persons, authorities or organisations that work on behalf of the controller (‘processors’), will also be accountable under the regulation.
Here are steps fund and wealth managers should take to ensure they are ready for GDPR prior to its implementation.
i. Carry out data audits
Ahead of compliance preparations, fund and wealth managers should carry out an audit of all current data storage systems and processes. Firms should assess all stored data to determine who it relates to, what it is used for, how long it has been held for, and whether appropriate consents have been obtained.
ii. Understand individuals’ rights
GDPR grants individuals the right to know whether personal data concerning them is being processed, where and for what purposes. For example, if an individual has provided data to a wealth manager for advisory purposes, the fund manager will not be able to use this data for marketing unless they have obtained the appropriate consent. If the individual requests access to their personal information, GDPR states that it must be given to the individual free of charge and within a month’s period.
The right to be forgotten, also known as Data Erasure, allows individuals to require the processor and controller to erase their personal data. As outlined in Article 17, this also includes situations where the data is no longer relevant to the original purposes it was being processed for.
Firms should take care to ensure that their data retention policies are consistent with the new rights granted to individuals under the GDPR. These include, but are not limited to, the right to be informed how their data is being used, the right to access their data and the right to be forgotten. Policy documents and procedures should then be revised to ensure that they reflect the new laws.
iii. Review data security and processing protocols
The GDPR makes firms responsible for data security and will hold them liable for not taking the necessary steps to reduce the risks of cyber-attacks. Firms should prioritise cleansing their databases to ensure that all stored data is ‘accurate’ and ‘up-to-date’. A good rule of thumb is to delete any unused data as you will need to be able to justify why this ‘dormant’ is being held onto. Failing to do this will constitute a breach under the GDPR. The more people that have access to data, the more vulnerable it will be to cyber-attacks. To address this risk, firms should assess how customer data flows through the firm, how it’s used and who needs access to it. Firms should restrict access to those who truly need the data to do their job. There should also be policies and strategies in place to ensure data is disposed of once it’s no longer needed.
Managers should ensure that they have contingency plans in place for the event of a data breach and continuously review organisational practices to not find themselves implicated for being noncompliant. AKPMG’s Government’s Cyber Governance Health Check 2017 revealed that over two thirds (68 per cent) of FTSE 350 boards have not received any training to deal with a cyber incident, demonstrating just how unprepared many of the world’s largest firms currently are for a deadline that is quickly approaching.
iv. Obtain appropriate consents
Article 7 of the GDPR stipulates that consent should be “clear and distinguishable from other matters and provided in an intelligible and easily accessible form”, and there ought be some form of clear ‘affirmative action’, meaning an opt-in rather than an opt-out. Firms should reach out to any customers or clients whose data is held and ensure that they have the appropriate consent to use this data, business relies on individuals’ consent to process their data. This does not apply to active contacts.
Managers should ensure they have processes in place to remove any data which they no longer need to hold and for which they have not obtained the relevant permission from the individual concerned.
v. Be aware of new accountability rules
GDPR elevates business’s responsibility for accountability and governance of data. Firms will be responsible for how they collect, store and use personal data, including having in place data protection policies and impact assessments, in addition to having relevant documents on how data is processed. To demonstrate compliance with GDPR, firms should communicate new policies and systems to staff through comprehensive training in business practices, protocols and internal procedures.
vi. Implement reporting procedures
GDPR makes firms responsible for reporting personal data breaches to the Information Commissioner’s Office (ICO). The regulation gives a wide definition to the term data breach, defining it the “destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”. Notification of breaches is mandatory in cases where the breach is likely to “result in a risk for the rights and freedoms of individuals”. Article 33 states this should be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.
Additionally, Article 37 discusses the designation of a data protection officer in the case where companies have “regular and systematic monitoring” of individuals at a large scale or process a lot of sensitive personal data. To manage this requirement, boutique fund or wealth managers who may not possess the resources to introduce a compliance or data officer role should consider using a third-party system.
(c) WealthBriefing 2017