Our GDPR expert, Melisa Cefalu, has advised that since the European Union’s General Data Protection Regulation (GDPR) has gone into effect on May 25, 2018, the regulatory landscape of data privacy management has continued to evolve. With respect to the GDPR, many firms are still working towards compliance as industry trends begin to take practical effect.
As of early October, Melissa has advised that EU regulators have not instituted any enforcement actions nor produced any guidance as it applies to financial services firms complying with GDPR.
Here are answers to some frequently asked questions pertaining to GDPR. The responses apply to investment advisory firms that do not have an EU presence, but possess EU-based clients.
What is the difference between a “controllers” and “processors”? The GDPR defines a “controller” as the entity and/or organization that determines the purposes and means of processing personal data. A “processor” is defined as the entity and/or organization responsible for processing personal data on behalf of a controller.
What are processors’ legal requirements under the GDPR? Processors are subject to specific legal obligations: They must maintain records of the personal data they collect and their processing activities, as well as are liable for any breaches of such personal data if the processor is found to be responsible for the breach.
How does the distinction of a controller and processor apply in the investment advisory space? The investment advisor is a controller because it establishes the client relationship, collects the client’s personal data (as defined under the GDPR), and is the decision maker on how the client’s personal data is disseminated in connection to the providing of client investment management services.