The European Union’s General Data Protection Regulation (GDPR) will take effect on May 25, 2018. The regulation aims to protect personal data that can directly or indirectly identify a natural person (whether or not the person is an EU citizen) who resides in the EU (Data Subjects) and whose personal data is in the possession of an organization or another person (Recipient).
The regulation’s extraterritorial scope applies to recipients across any industry on a global level. Accordingly, many U.S. organizations and businesses, including U.S. investment advisors, and their affiliates, will be impacted by the GDPR. To learn more about GDPR, I spoke with my colleague, Melissa Cefalu.
To assess what GDPR conditions and requirements your firm must adhere to will depend upon whether your firm is acting in the capacity of a “Controller” or a “Processor” in the receipt and management of personal data as prescribed by the regulation. Although a seemingly binary approach, in practice, these roles may not be mutually exclusive.
As the regulation applies to U.S. investment advisors, the GDPR will govern any personal data from an investment advisor’s employees, investors, and clients that have an EU presence. As such, U.S. investment advisors with EU investors will be subject to the regulation.
The GDPR also will apply to U.S. investment advisors that have a physical office, including the firm’s branch offices and offices of its affiliates, present in the EU. U.S. based investment advisors that do not have a physical presence in the EU will become subject to the GDPR if such investment advisors monitor or process the personal data of Data Subjects.
Accordingly, the GDPR will govern investment advisors that have a virtual EU presence through the firm’s marketing and business strategies via the internet and the firm’s website or offer investment management services to EU-based clients.
In addition to regulating the collection and processing of personal data, the GDPR promulgates an international data breach notification requirement. Under the GDPR, a firm will be required to notify the Information Commissioners Office (ICO) within 72 hours from the time a data breach occurs and possibly be required to notify the affected Data Subjects.