The European Union’s General Data Protection Regulation (GDPR) will take effect on May 25, 2018. The regulation aims to protect personal data that can directly or indirectly identify a natural person (whether or not the person is an EU citizen) who resides in the EU (Data Subjects) and whose personal data is in the possession of an organization or another person (Recipient).
The regulation’s extraterritorial scope applies to recipients across any industry on a global level. Accordingly, many U.S. organizations and businesses, including U.S. investment advisors, and their affiliates, will be impacted by the GDPR. To learn more about GDPR, I spoke with my colleague, Melissa Cefalu.
To assess what GDPR conditions and requirements your firm must adhere to will depend upon whether your firm is acting in the capacity of a “Controller” or a “Processor” in the receipt and management of personal data as prescribed by the regulation. Although a seemingly binary approach, in practice, these roles may not be mutually exclusive.
As the regulation applies to U.S. investment advisors, the GDPR will govern any personal data from an investment advisor’s employees, investors, and clients that have an EU presence. As such, U.S. investment advisors with EU investors will be subject to the regulation.
The GDPR also will apply to U.S. investment advisors that have a physical office, including the firm’s branch offices and offices of its affiliates, present in the EU. U.S. based investment advisors that do not have a physical presence in the EU will become subject to the GDPR if such investment advisors monitor or process the personal data of Data Subjects.
Accordingly, the GDPR will govern investment advisors that have a virtual EU presence through the firm’s marketing and business strategies via the internet and the firm’s website or offer investment management services to EU-based clients.
In addition to regulating the collection and processing of personal data, the GDPR promulgates an international data breach notification requirement. Under the GDPR, a firm will be required to notify the Information Commissioners Office (ICO) within 72 hours from the time a data breach occurs and possibly be required to notify the affected Data Subjects.
Moreover, penalties for a Recipient’s noncompliance with the GDPR are grave and can result in fines — the greater of 20 million euros or 4% of the Recipient’s total worldwide annual revenue. Investment advisors preparing to become GDPR compliant should consider taking the following steps:
1. Evaluate all aspects of your firm’s data privacy processes, including your firm’s data privacy processes with third-parties. U.S. investment advisors should consider the GDPR’s impact on third-party relationships with transfer agents, funds, investment managers, and any other third parties involved in the production of investor documentation such as investor notifications and financial statements.
2. Review your firm’s current privacy data policies and procedures to ensure that it contains appropriate safeguards to protect personal data as required under GDPR.
3. Review your firm’s agreements and privacy notice disclosures pursuant to GDPR. The GDPR requires that Recipients obtain the Data Subject’s “informed consent” prior to receiving the Data Subject’s personal data. Therefore, firms may be required to amend their existing agreements and privacy notices with Data Subjects in order to be GDPR compliant. With regards to third-party relationships, such agreements may need to be amended in order to address certain GDPR requirements.
4. Develop a compliance monitoring program that incorporates risk management practices, data breach notification requirements, and employee training to increase firm-wide awareness on how GDPR will impact your firm’s business.
The GDPR is brand new territory that will impact many U.S.-based registered investment advisors. Please ascertain whether GDPR is applicable to your firm.
Thomas D. Giachetti is chairman of the Securities Practice Group of Stark & Stark, a law firm with offices in Princeton, New York and Philadelphia that represents investment advisors, financial planners, BDs, CPA firms, registered reps and investment companies, and is a regular contributor to Investment Advisor. He can be reached at firstname.lastname@example.org.