What GDPR means for the asset management industry
This Spring 2018 will bring a change in regulation around data protection. Bruno Fiastre, Executive Vice President, discusses what GDPR means for the asset management industry in Opalesque.
The arrival of warm weather in the Northern Hemisphere this year will bring with it another change: the General Data Protection regime will come into force. The legislation, which can impact any company with information about citizens of the European Union or offering services to residents, is sweeping in scope. Despite years of lead time, the runup to implementation has been fraught. At Davos this year, world leaders and corporate heads fretted if people would be impacted. TechCrunch neatly summed up the situation in a recent headline, asking “WTF is GDPR?”
For asset managers, the potential impacts of GDPR are manifold. Under GDPR data protection is “by design and default,” meaning
data protection is now something that no longer needs any sort of opt-in. The definition of personal data has been broadened and now includes pseudonymous data, like cookies or hashed email addresses. Asset managers need to understand all data in their possession pertaining to clients and what responsibilities they have under this legislation.
The law firm Matheson laid out several requirements for the asset management industry under GPDR:
- The need to appoint a data protection officer if the company processes large amounts of sensitive data
- Report data breach notifications to supervisory authorities with 3 days (unless the breach will not pose a risk to individual rights)
- Implement technological and organizational measures to ensure security of data
- Maintain more extensive records of processing activities
Allison Schiff in a recent piece on preparation, advocates first looking into the scope of the problem. “Vendors need to engage in a detailed data mapping exercise to figure out how data flows through the organization, including what data is being collected, how it’s collected, where it’s stored and who has access.”
GDPR makes an important distinction between “data processors” and “data controllers.” Data controllers controls and are responsible for personal data, while data processors hold data but do not exercise control over the data. Cloud providers, such as our company, generally are data processors. Asset managers, on the other hand, typically count as data controllers.
This means asset management firms will have stringent requirements around client data. The regulation comes at a time where two twin trends may complicate compliance. The first is the sum total of new requirements foisted on financial companies all over the world in the past decade, from MiFID II to Dodd-Frank. At the same time money for operations has been squeezed by reduced margins across the firms. Asset managers need to do more with less. With GDPR they are going to have to do even more with even less.
After completing a data audit, asset managers will need to look at places where sensitive information comes into and exits the firm. The investor relations process will be a key part of this, but it will not be on the only one. If a firm has separately managed accounts, there could be parts of the investment process the identify client information.
GDPR could represent a chance unite scattered systems around a single solution. There are many areas where data can be unsecure, from individual employee laptops to personal devices and moving pieces of information between different programs. Integrating with industry-standard programs (many of which were designed for companies that typically do far more external communications) can help meet requirements. Furthermore, large vendors have (by matter of necessity) been very transparent about what they are compiling with new regulation.
This is also a good time to remind employees about good general hygiene about sensitive information. Don’t share sensitive information unnecessarily. Don’t mix the personal with the professional. Don’t do anything that wouldn’t hold up to scrutiny by government officials. Because now more than ever, they are watching.
Bruno Fiastre is an executive vice president at Taliance based in New York