Regarded as the largest data regulation act in modern European history, the General Data Protection Regulation (GDPR) has taken the compliance world by storm. Adopted in April of 2016, the new regulation addresses the mounting concern over the use and security of private consumer information online — with its sight set on a complete regulatory overhaul.
GDPR becomes effective on May 25, 2018. As that date rapidly approaches, it’s no surprise that questions and concerns for GDPR and the wealth-management industry have blossomed. As written, GDPR’s impact on fund, investment and asset managers could be large, costly, and time consuming.
Table of Contents
- What Is the General Data Protection Regulation (GDPR)?
- What Does the GDPR Do?
- Who Does GDPR Apply To?
- Why Does GDPR Matter for the Asset and Wealth-Management Industry?
- Key Changes for Asset and Investment Managers with GDPR
- Current Data Oversight
- GDPR Violation Factors
- Fines, Sanctions, and Liabilities
- GDPR Impact on Managers in the EU
- Impact On Non-EU Managers
- What Next Steps Should Be Taken?
Aimed to simplify and synchronize data-protection laws across EU lines, as well as prioritize a citizen’s control of their personal information, GDPR comes at a time when public concern over the safety and security of “big data” practices has never been more contentious.
And while its intention is good, GDPR does present some compliance complications for advisors and the asset management industry. Anyone utilizing digital communications and e-commerce procedures, as well as those who gather customer’s personal data for informational, transactional and/or marketing purposes, could be impacted by GDPR. When it comes to GDPR compliance for fund managers, investment managers and others in the wealth-management industry, you’re likely asking yourself how you can legally collect and store finance-related personal data — and what you can do once you have it.
GDPR has a number of applications and ramifications. These sweep across industries and their big data usage, ultimately changing the way management can gain and use private consumer materials.
For explanatory purposes, GDPR’s measures can be broken down into three main categories.
- Collection: GDPR enacts sharper, updated terms for how you can collect any and all personal data online. What’s more, this data collection must be transparent and understandable to the average person. The days of checking a terms-and-conditions box are over. Wealth management agencies must now openly and plainly ask for a consumer’s information online in simple, everyday language, syntax and opt-ins — plus adhere to whatever consent modifications a client or consumer requests.
- Storage: As a financial representative no doubt utilizing personal information, your firm has 72 hours, or an “undue delay” period, to report attacks or data breaches to affected individuals and data-protection authorities. Protective measures for all stored information have also heightened. Security criteria now include encryption and pseudonymization of all data, ongoing confidentiality agreements, timely access for clients to review their materials and regular data-security tests. You are also responsible for the complete, safe transfer of stored information to third party vendors or countries inside and across EU lines, regardless of where your firm or business is located.
- Utilization: If you’ve collected information, such as names, email addresses, bank information or an IP address in the past from EU clientele, you must now recollect that data using new, GDPR-standard wording. Furthermore, your consent notices and data-collection messaging must explicitly state how you intend to use collected data. This includes notes, explanations and even timelines for information application, whether it be a simple e-newsletter subscription to in-depth fund transfer processing.
Perhaps the most important sanction with GDPR, customers now have a right to the entire breadcrumb trail of their online information. Private institutions can no longer deem such information as “proprietary” and are obligated to provide full, easy-to-understand documentation of how, when and where data is used. Consumers may request their information to be permanently deleted — a new and critical provision knows as the Right to Be Forgotten.
The catch? All the above is granted only if a client or consumer directly asks for it. Yet it means a significant overhaul in your information-management systems, as well as how you log, store, retrieve and share all collected data with clientele.
GDPR applies to all organizations, businesses and entity types doing work with EU clients. This means both those organizations located physically within the EU’s 28 countries and those outside of them.
In other words, it does not matter where you are physically located. If you work with and manage assets for any EU clients — even just one — compliance is mandatory. Given the fact that nearly all investment and asset work requires collecting, holding and utilizing personal data, as well as offering a range of goods and advisory services for EU “natural subjects,” GDPR stands to directly affect many finance industry operations.
This has come as a surprise to many and could have a major impact on the asset-management industry, where transactions not only require but function off hyper-sensitive personal information.
GDPR matters for many reasons — but most critically because the world we live in is one that’s digital-first. This means financial institutions across the board must adapt to the tenants GDPR stands for: the safety and stability of consumer information online. From large hedge-fund managers to individual investment advisors, GDPR matters in shaping the way wealth management businesses see, treat and promote confidence from their clientele — and ultimately guard their reputation.
- GDPR standardizes the kinds of network testing and risk-identification measures that can quickly grow outdated within a financial firm — especially small to mid-sized ones.
- GDPR provides formal and informal infrastructure requirements necessary to address data breaches, network security and its related effects on clientele trust.
- GDPR brings the industry up-to-date regarding its treatment of sensitive data and transparency practices.
- GDPR establishes improved, two-way communication between wealth management entities and their constituents, bolstering the kinds of relationships that are the foundation of a thriving firm.
Big data has transformed the financial services industry. Across its many forms and functions, we hold a duty to our clients — and to ourselves — to provide the most compliant and agile services possible.
The summary of changes GDPR ushers into the wealth-management world is perhaps its most daunting aspect. The impact on fund, investment and asset managers, as well as individual advisors, will carry inevitable ripple effects affecting your day-to-day digital interactions and operations.
Having a resource on-hand addressing these key changes and important adaptations is not only helpful — it’s functionally necessary. We’ve outlined the major industry implications below, as well as the backdrop currently in existence for non-EU fund managers as it relates to GDPR.
1. The Basic Principles of GDPR Data Controller vs. Data Processor
GDPR solidifies the definitions of the two critical bodies involved in online data collection: data controllers versus data processors. You as an individual investment advisor of fund managers likely fall into the former. Data controllers are defined as those who set the procedural and practical uses of all collected data. They determine the purpose of data collection, as well as what data is collected, from whom and for what explicit purpose. Data controllers must also maintain responsibility for reporting a data attack or breach alerts to affected individuals and regulatory bodies.
Related but not identical, data processors are people or agencies in control of processing individual data on behalf of the controller. They’re the technical side of the equation, not the tactical. They manage the data’s IT storage systems, as well as data security measures, testing, transfers and any necessary data deletion.
The scope and nature of your firm ‘s operations will determine what data classification the firm falls under. Many large-scale financial institutions will have data controlling and data processing functions in-house, while small to mid-sized firms will partner with a third-party group for the more technical data processing. Inquire about your data-management system today to ensure proper compliance among the applicable service providers and vendors.
2. GDPR Is Now a Regulation, Not a Directive
The legal ramifications behind a regulation-versus-directive label are an important change for financial institutions and managers to understand. To begin, a regulation is a binding legal act, meaning it contains explicit, unnegotiable tenants that are laws in their stated entirety across the EU. Directives, on the other hand, are legislative goals all EU countries are bound to comply with. With directives, different countries can tweak and modify how they reach that goal. The goal itself can’t change, however.
Previous data-security measures were classified only as directives. Individual countries across the EU — and around the globe, for that matter — could set benchmarks and self-regulate their own security rules as well as violator sanctions. This resulted in a progression of discrepancies and loopholes, which GDPR aims to close and clarify.
3. Freely Given, Informed and Unambiguous Consent Is Mandatory, Not a One-And-Done Guideline
Since consent is a standard operating clause for many organizations to legally compile and process consumer data, the need for its explicit and clear presentation is one of GDPR’s largest overhauls. While the idea for online consent is nothing new, the way in which it will be written, provided, delegated and maintained will see major updates. Popular past consent tactics — from simple online checked boxes to one-time e-signatures on contract terms and conditions — will likely need revisiting to guarantee compliance for your EU clientele.
In fact, unambiguous client consent is now deemed a legally binding data subject right. There are four main conditions that fall under GDPR’s umbrella term of unambiguous client consent, which are as follows:
- Consent must be informed, with organizations able to prove what data is needed in a clear and purposeful manner.
- Consent must be offered in plain and easy-to-understand language, not muddied with complicated or complex legal terminology and lexicon.
- Consent requests need to be use-specific, sent to the consumer on a per-purpose basis. How and what you intend to use a client’s information for, as well as how the use of that information is critical to your financial service offerings, must be included across consent forms. Explaining the processing of someone’s data in broad terms is insufficient under GDPR. You must provide detailed, specific disclosures.
- Consent must be given under clear conditions of free will. Your client must provide consent to use their information in a timely and knowledgeable manner, without coercion or contractual technicalities. Free will addresses past issues of power and conditionality clauses. This provision renders a financial service contract void if a client does not validly and freely sign over data control.
4. Data Privacy and Portability
One of GDPR’s largest changes is the re-concentration of data power back in the hands of “data subjects,” or your clients themselves. Likewise, you as a data controller must adhere to the consent wishes of your clients, though there are some caveats and functional stipulations for financial services.
Another essential data right for EU citizens is called the right to data privacy and data portability. Clients have the right to directly access, review and remove their personal data from your storage networks. They can do this explicitly and autonomously, without any extra oversight from outside authorities.
For financial institutions, there is an important caveat to data privacy and portability: Investment and asset managers are permitted to still keep some data in their system in order to remain compliant with other industry regulations. However, it is better for managers to err on the side of caution. If a client notes interest in their Right to Be Forgotten, it’s advised that you clearly state what pieces can and cannot be removed without rendering your services impermissible.
5. Third-Party Vendors
If your financial organization utilizes outside, third-party data processing services or consulting of any kind, GDPR mandates they be compliant as well. What GDPR considers a third-party processing vendor is rather intuitive. Anyone you work with that has access to and handles your clients’ personally identifiable information (PII), i.e. the information that can be used to identify someone, must be legally compliant by May 25, 2018.
6. Data Breaches and Security
Current U.S. federal laws exist, as well as many on the state level, to address how companies must handle public data breach announcements. However, unlike GDPR, these laws come with striking loopholes — particularly if a business or agency claims that declaring a breach would impede a formal criminal investigation.
GDPR closes these loopholes. It requires business, proprietors, individuals or agencies with licensed, personal-data storing computer systems to report a security breach to authorities within 72 hours and to affected parties without “undue delay.” Some note that Article 33 of GDPR — where the breach notification rules are outlined — remains vague on what constitutes “undue delay.” Though the 72-hour window to report to relevant data authorities is a step to quell consumer worry and fear about attack mismanagement in the past, much remains up for interpretation on proper timelines to notify affected individuals.
7. How Will GDPR Administrative Fines and Sanctions Be Applied?
The consequences for GDPR violations will be severe. They range in terms of operational penalties and monetary fines, plus other sanctions for illicit timelines, technicalities and legal ramifications for those deemed negligently responsible for financial service non-compliance.
In the United States, SEC and FTC provisions provide the stateside building blocks for the same data-protection laws that GDPR fine tunes in the EU. Its backdrop is important to review to understand the full scale of GDPR changes and compliance extensions for your EU clients.
Currently, U.S. laws require the wealth and asset-management industries to safeguard the personal data of their clients, all of which are considered “natural persons” in the eyes of these laws. For SEC-registered investment advisors, safeguarding means adopting protective measures to protect non-public PII client information. For non-SEC registered advisors, FTC-mandated Safeguard Rules must be followed to provide the same safety structures. These safeguard measures include, but are not limited to:
- Written policies and procedures outlining client information safety protocol;
- Potential data risk identification and mitigation within those safety protocols; and
- Routine assessment and analyzation of data-compliance procedures and networks.
It bears repeating your firm likely already falls into the SEC and FTC-governed data security provisions. However, the implementation of GDPR will likely extend what measures you must impose for your EU clients, as well as the disclosures you provide regarding your use of EU client data.
The amount your financial group could be fined depends on the egregiousness of the violation. Namely, non-compliance fines will be determined by the following metrics:
- The size and severity of a data breach in relationship to its adverse consumer effects.
- Your institution’s GDPR awareness, or the steps and measures it took before a breach to meet GDPR standards and prevent data attacks. Note: These steps have to be proven, not merely strategic to-dos or whiteboard goals.
- Your institution’s lack of up-to-date safety and security networks and data-storing systems, as well as its failure to test for and prevent in-depth personal data breaches within these systems.
- Incomplete, vague or overtly complex means for acquiring client consent, including convoluted procedures and data consent updates that don’t meet GDPR’s “freely given, clear and unambiguous” messaging.
- How thoroughly you have honored the requests of data subjects. This includes your handling of GDPR’s outlined data subject rights, your response times and accuracy in handling requests and your honoring of the right to be forgotten.
GDPR organizes violation types into a range of categories. The extent to which an asset management firm has been found guilty of ignoring or mishandling GDPR’s security tenants has the largest effect on which violation category it falls into. For the most in-depth and technical look at violation groupings, consult Chapter 8 of GDPR’s own remedies, liabilities and penalties section. Read on below to assess the critical fines and penalty procedures for the wealth-management industry.
- Fines: 4% of global annual revenue/€20 million OR 2% of global annual revenue/€10 million euro. There are two main branches of administrative fines financial managers could fall under. The most well-known and overarching is the larger penalty of the two, which runs up to 4%of global revenue or €20 million — whichever is higher. Chapter 8 of GDPR’s official guidelines also states a secondary fine type of 2% of global annual turnover or €10 million. The penalty range is largely determined by how non-compliant an agency is found, or the scale and severity its breach.
- Data Protection Authority (DPA) sanctions. An individual EU country’s DPA can open a case into most institutions that have been reported as suspicious or likely negligent of GDPR laws. If they find an institution is compliant, no sanction action will be taken. If they rule breaches or negligence has occurred, on top of fines, three sanctions processes can initiate. First, DPAs can suspend data flows between recipients. Second, they can publicly reprimand and hold liable a company. Third, the DPA can temporarily or indefinitely ban that incompliant institution from processing any further subject data.
- Administrative, civil or criminal liability. GDPR has an exclusive fines and violations regulatory body known as the Article 29 Working Party. It exists solely to assist, assess and classify the regulatory oversight of GDPR cases. Given the widespread worry many institutions have over their GDPR readiness, Article 29 Working Party has published its own guidelines on how to best remain compliant and avoid fines. It has also taken care to note three separate accountability types: administrative, civil or criminal. Each comes with its own range of fines and sanctions, depending on the extent to which a wealth manager has been acting irresponsibly with client data.
Across fines, sanctions, penalties and regulation types, it should be noted that there is no single, overarching regulatory body dedicated solely to monitoring finance data processes. Even amidst all the worry over GDPR fines, it falls on consumers to report suspected misuse or unlawful activity. These reports then make their way to an individual EU country’s data protection authorities and boards for review.
GDPR will have many procedural and technical impacts on EU asset and wealth managers. Beginning with adequately demonstrating compliance to reviewing data control and processing operations to the testing of new security software, financial constituents within EU borders have a summary of changes that should likely be underway already:
- Review of controller-versus-processor in-house operations or external partnerships. Wealth managers and investment advisors in the EU would do well to familiarize themselves with data controller and data processor classifications to see which definition they directly fall under. They must take an in-depth look at the nature of the financial services their contracts offer to each data subject and determine what those contracts deem their data management roles and responsibilities to be, as well as how clear those roles are to the client.
- Data privacy by design and default. As stated before, many see GDPR as fundamentally averting control of data back into the hands of the everyday consumer. With the overall goals of making online data usage more understandable and transparent, EU wealth managers must implement smooth organization and technical systems to keep data privacy truly private, data design accessible and negotiable and consumer data experiences seamless. In other words, you must make the EU client feel in control of their personal information — not the other way around.
- Overhaul of client consent communications.At the very least, EU asset and fund managers must do a thorough review of the current communication channels by which they receive consent for processing client data. It is likely that these previous methods now fall short of full GDPR compliance, both in terms of specificity and transparency. From basic subscriptions and application forms to contract terms and conditions and website processes, it is imperative to review the means by which you’ve collected client data, as well as how you have worded your disclosures.
- Ensure appropriate encryption and safety walls behind all network data. GDPR elevates data security measures and tactics. This includes but is not limited to safe and reliable data transfers to third countries and third parties with clear consumer consent, data encryption, data pseudonymization and routine testing of network security. If using a third-party data processor, fund managers must ensure they’re compliant with encryption and technical data safety codes as well.
- The appointment of a Data Protection Officer (DPO).Complete front to back-end data processes could be overseen by a Data Protection Officer. The GDPR requires a DPOs to exist in large-scale institutions that monitor and process a substantial amount of consumer data on the daily, as well as in specialized data industries, such as those seen in criminal convictions. However, even if your management agency doesn’t fit either of these stipulations, a Data Protection Officer could still be appointed for more compliance assurance.
The fact remains that GDPR is legally binding for those outside of the European Union. If your wealth management services reach individuals, holdings or businesses in the European Union, you must comply with all the measures and acts outlined above. Yet there are some unique impacts for non-EU asset and wealth managers to keep in mind as well:
- The availability of cybersecurity insurance. Purchasing a cybersecurity insurance package could allow for greater peace of mind and familiarity with the new digital landscape GDPR creates. Cybersecurity insurance overlaps many of the pain points GDRP addresses but buffers your own protective procedures and financial risk management, including damage from data breaches, data attacks, network incidents and overall business operation interruptions.
- Explain contractual necessity to your clients across consent forms and data-collection applications. Explaining to EU clients why you need the information you do, as well as what you use it for, has never been more important. This explanation can be bundled more simply and strategically under the legal term of contractual necessity. Certain personal client materials, such as bank information, is functionally needed in order for you to deliver your financial services. This is precisely what contractual necessity mediates — that your ability to deliver an agreed-upon financial service is contingent on access to such information.
- Review third party and vendor contracts.Revisiting your financial institution’s current third-party agreement to understand their own data-processing terms and conditions is another important step for non-EU located wealth managers. Knowing how and why these vendors use your clients’ data, as well as communicating any client preferences for that data, are new GDPR measures.
GDPR may still seem saturated with new procedures, mandates and protocols. The most important thing for you to remember as an investment or financial manager is to start shifting your focus from attention to action. Implementing and updating your data to be compliance-friendly will be much more manageable in small chunks, and starting somewhere is better than not starting at all.
GDPR’s regulatory bodies across EU countries will place a lot of emphasis on whether a business can prove genuine compliance attempts. With that in mind, there are more than a few next steps for you initiate today:
- Instate unambiguous consent terms and conditions. Any client consent obtained before GDPR’s official implementation date of May 25, 2018, will remain compliant only if it adheres to criteria defined in GDPR Article 7’s Condition’s for Consent. It is highly recommended you and your firm review and address your data consent disclosures in light of the new terminology and explanation rules, as well as start methodically resending clear consent forms to your EU clients. The more explicit, the better.
- Install data management software that complies with GDPR’s vigorous, updated standards. GDPR will likely change the expectations your EU clients have in terms of reviewing and retrieving their personal information. As an asset manager, ask yourself how it easy it is for you to pull a client’s data report, as well as the details and analytics included in such a document. Chances are it’s not. With GDPR, you and your fellow investment managers will need to be prepared for requests like this, as well as other data-processing questions and client tailorings — all in an efficient and timely manner. Such services are made infinitely easier through the right data-management software.
- Test your network security. Routine network screenings are likely already a part of your IT processes. Yet with GDPR, the care and quality of these tests carry extra weight. Software and hardware testing, encryption coding and constant password updates are just a few security measures that should be routinely implemented.
- Create a clear breach notification process in the case your data is attacked. Not only is your brand and reputation on the line when it comes to how you handle cyber attacks, but its very legal status could be, too. Outlining a clear, detailed, step-by-step notification reaction in the case of this unfortunate event maintains your thoughtful implementation of GDPR tenants. Make sure that your breach notification process clearly identifies the quantitative and qualitative aspects of a breach, documents your response to it and outlines notification steps to affected individuals and relevant governing bodies within the 72-hour undue-delay period.
About Vigilant Compliance’s Cybersecurity Services
Vigilant Compliance brings over a decade of regulations-navigating experience to the wealth management and investments industries. We offer a rich and dynamic set of regulatory advisory solutions tailored to each individual client, with a keen understanding of finance compliance procedures and strategies. In partnering with Vigilant Compliance across any of our consulting services, you’re guaranteed quality insights, tactics and practices meant to shape the future success of your firm.
We’ve taken that commitment to the next level with our Cybersecurity Consulting Services. A natural branch of our overall wealth-management offerings, cybersecurity is a growing concern amongst industry leaders and practitioners. Those questioning the direction, implementation and management of clients’ digital data — as well as the increasing regulation from the SEC and other international bodies — have no further to look than Vigilant Consulting for robust and comprehensive cybersecurity expertise.
Vigilant Compliance Cybersecurity Packages
Our three cybersecurity consulting packages — Gold, Platinum and A La Carte — address the most critical and nuanced concerns of wealth management digital security, as well as give key recommendations and actionable plans for your firm to implement, today. Each provides solutions across the following cybersecurity domains:
- Cybersecurity governance: Understanding the ins-and-outs of changing regulatory bodies is the base of a quality cybersecurity package. We offer an SEC-tailored data privacy compliance reports and oversight, with the latest regulatory updates and information in one place.
- Risk-factor identification and adaptation: The comprehensive activities of your network need safeguarding and monitoring. We ensure best-fit IT testing and security assessments to understand what your firm is most at risk for, including unauthorized activity detection, network security threats and weak spots, vendor and third-party risks and the overall security of housed client information.
- Network protection: The security and usability of your online and remote networks are paramount. Without the ability for your clients to safely transfers funds, manage assets, access portfolios and monitor overall online activity, the very reputation of your wealth management firm is in jeopardy. We run cutting-edge digital diagnostics, including penetration tests on both hardware and software, to determine the health and safety of your online infrastructure.
Our Partnership With SSD Technology Partners
In addition to our tailored cybersecurity consulting, we’ve partnered with SSD Technology Partners to provide an unparalleled approach to digital testing and assessment.
A premier IT jack-of-all-trades, SSD tackles network diagnostics with both tactical and technical savvy. Through SSD, we can provide a complete picture of your wealth-management firm’s applications, business integration, disaster recovery, risk assessment and security testing. They’re a third party we know and trust. You can expect the following results from a Vigilant-SSD partnership:
- Internal and external threat assessments.
- Risk-reducing strategic plans.
- Interviews, automated network tests and org-structure reviews.
- Process recommendations tailored specifically for the size and capacity of your financial group.
With the regulation rule book ever-changing, you’ll have peace of mind that your fund, investment and asset management remains not only GDPR compliance-reactive but proactive.
Protect yourself like you protect your clients. With big data comes big responsibility. GDPR looms on the compliance horizon, and as the largest consumer data legislative overhaul in the EU’s history, it’s sure to cause ripple effects worldwide.
With a little diligence and a lot of common sense, those ripples don’t have to turn into waves. Consult with the cybersecurity experts at Vigilant Consulting with any questions or concerns you may have for your wealth-management group. For domestic calls, we can be reached at 1-888-229-1855. For international callers, reach us at 011-44-207-183-2028.
Modified: November 7, 2018