Our GDPR expert, Melisa Cefalu, has advised that since the European Union’s General Data Protection Regulation (GDPR) has gone into effect on May 25, 2018, the regulatory landscape of data privacy management has continued to evolve. With respect to the GDPR, many firms are still working towards compliance as industry trends begin to take practical effect.
As of early October, Melissa has advised that EU regulators have not instituted any enforcement actions nor produced any guidance as it applies to financial services firms complying with GDPR.
Here are answers to some frequently asked questions pertaining to GDPR. The responses apply to investment advisory firms that do not have an EU presence, but possess EU-based clients.
What is the difference between a “controllers” and “processors”? The GDPR defines a “controller” as the entity and/or organization that determines the purposes and means of processing personal data. A “processor” is defined as the entity and/or organization responsible for processing personal data on behalf of a controller.
What are processors’ legal requirements under the GDPR? Processors are subject to specific legal obligations: They must maintain records of the personal data they collect and their processing activities, as well as are liable for any breaches of such personal data if the processor is found to be responsible for the breach.
How does the distinction of a controller and processor apply in the investment advisory space? The investment advisor is a controller because it establishes the client relationship, collects the client’s personal data (as defined under the GDPR), and is the decision maker on how the client’s personal data is disseminated in connection to the providing of client investment management services.
Generally speaking, each third-party entity and/or organization that an investment advisor shares EU personal data with to process on a firm’s behalf is a processor.
Is a processing addendum required when a controller shares personal data with a third party? In general, the GDPR requires that controllers, and relevant third parties with whom controllers share personal data with, amend their current agreements with a Data Processing Addendum (DPA) to memorialize certain representations and obligations as required under the GDPR.
As the industry continues to develop, we have observed that there are currently two variations of this agreement in the investment advisory space: a controller-controller agreement and a controller-processor agreement.
What kinds of provisions are generally required in third-party processing addendums? The GDPR has a minimum of 13 provisions that must be included in a DPA. These provisions include: 1. A description of the processing activity including the subject matter, duration, nature and purpose of the processing activity; as well as the type and categories of the personal data being processed; 2. The processing activity instructions; 3. Confidentiality provisions; 4. Identification and implementation of processor’s security measures and controls; 5. Authorization for the processor to use subcontractors to process personal data; 6. Identification of obligations that may be inherited by subcontractors to process the personal data; 7. Liability of subcontractors; 8. Procedures connected to responding to data subject requests; 9. Representations by the processor to cooperate with the controller in the event of a data breach; 10. Representations by the processor to cooperate with the controller in performing data protection impact assessments (“DPIA”) (as applicable); 11. Controls and representations concerning the return or deletion of personal data; 12. Controllers audit rights; and, 13. Controls governing cross-border transfers of personal data.
Thomas D. Giachetti is chairman of the Securities Practice Group of Stark & Stark. He is a regular contributor to Investment Advisor. He can be reached at email@example.com.