Asset managers tempted to relax when it comes to the new European Union General Data Protection Regulation (GDPR) now the UK has voted to leave the EU should think again.
The GDPR comes into full effect in May 2018 – even if the UK had triggered Article 50 of the Treaty of Rome, giving two years’ notice to leave the EU, on the day of the referendum result last month, there would be no escaping the new provisions. In fact, it’s far from clear when the UK will serve notice of its exit – asset managers are going to have to live with GDPR for some time to come.
The new regulation applies to all organisations, of course, and not just the asset management sector. However, the nature of the asset management business model leaves firms in this industry particularly exposed to data protection issues. They collect and hold extensive data on their customers, with information often passed around a broader financial services group. Their marketing and communications material is extensive and often relies on this data. And they have frequently been a target of cyber attack.
It’s therefore crucial that asset managers get to grips with the GDPR well in advance of April 2018, when the new rules formally harmonise the national data protection laws that currently apply separately in each of the EU’s 28 member states. The penalties for falling foul of the new regulation are daunting – fines of up to 4 per cent of a business’s global turnover for non-compliance.
For asset managers, the key issues will begin with consent. You will need explicit permission to use customers’ personal data – for any purpose, including marketing. Your customers will also have a right to be forgotten – to request that you delete all the personal data you hold on them. You’ll also need to be sure you have systems in place to enable the transfer of personal data to a competitor if requested – when an investor moves his or her money to another manager, for example. And if you do suffer a data breach, you will be legally required to disclose it to regulators, and possibly to make a public declaration.
What does that mean in practice for asset managers? It may be helpful to think separately in terms of compliance for existing customers and new customers (including renewals):
- With existing customers, you must be able to prove you have obtained permission to use their data; you’ll also need to know exactly where all data for a given customer sits on your systems, even if this is in a number of different places, so that you can control compliance; you should also have mechanisms in place so that you can transfer an individual’s data to another firm, if asked to do so.
- For new customers, the same rules apply. But in addition, your terms and conditions should now explicitly set out permission procedures and how they relate to your data protection duties; you will also need to be able to show you’re building data protection safeguards into new products and services right from the beginning of the design process.
There are no shortages of opportunities to trip up here, particularly if data is not carefully controlled throughout an asset manager’s organisation. Not least, the frequency with which asset managers communicate with their customers means it will be painfully obvious to people that their data is being used in a way they haven’t consented to, or in breach of a withdrawn permission or request to be forgotten.
Understanding the regulation is therefore not enough to ensure compliance. Asset managers need to ensure their organisational structures and processes will keep them on the rights side of the law.
There are various steps to take in the first instance. Consider conducting a GDPR readiness audit – a test of your current state of play – either internally or through a third-party consultant. Appoint a senior leader to take charge of ensuring GDPR compliance – someone with sufficient power and credibility to be able to drive change. Consider training for employees from across the organisation so that all staff understand their responsibilities.
Don’t leave it too late. With less than two years to go until GDPR implementation, there’s now a relatively short window of opportunity to ensure compliance from day one. Even Brexit isn’t going to get your organisation out of this one.