If compliance and operations managers at US asset management firms are asking themselves that question, they are already in hot water. They should have started data mapping and amending their contracts with third-party service providers such as fund administrators and transfer agents, say data privacy experts.
Already effective as of May 25, the GDPR harmonizes the hodgepodge of data privacy rules across European Union member states and for the first-time affects third-party data processors and enforces compliance for firms outside the European Union. Firms don’t need to have an office in Europe or even European investors to be subject to the GDPR. It applies to any firm that holds personal data on European retail investors, offers “goods or services” to individuals in Europe or monitors the behavior of individuals in the EU. Just having a website that allows European individuals to ask for information could be enough to fall under the GDPR’s rules. So might hiring a market research firm to survey European investors.
Given that the GDPR’s range of applicability is so extensive and ill-defined, US asset managers rather play it safe than sorry. “They can’t take the chance that an investor or whistleblower will complain to a European regulator,” cautions Doron Goldstein, partner and co-head of the privacy, data and cybersecurity practice with the law firm of Katten Muchin Rosenman in New York. Penalties for violations of any of the GDPR rules can be steep — as much as the greater of E20 million or 4 percent of annual revenues.
Yet many US asset managers appear to be taking a big regulatory gamble. A survey of 250 US asset managers conducted by Cordium, a New York-based regulatory compliance consultancy, in April showed that about one-third had not even started getting ready for GDPR. The remainder had not completed their work.
“There has been a flurry of preparatory activity over the past few weeks leading up to the May 25 deadline,” says Michael Corcione, managing director of Cordium’s cybersecurity and data protection practice. “However, some US asset managers are still struggling with getting updated contracts with GDPR addendums from mid-tier third party service providers.”
Lapse in Judgement
Too many US asset managers erroneously thought they didn’t have any personal data on European investors. They simply didn’t understand what to search for or where to look. “Personal data is a broad term referring to any type of data that can be used to identify an investor,” says George Bollenbacher, a partner in charge of the market evolution practice at financial services consultancy Capital Markets Advisors in New York. That could be specific information such as the name of the investor, address and tax or government identification code. Alternatively, it could also be the investor’s favorite hobbies or investments. Pseudonymous information such as Cookies or hashed email addresses also fall under the category of personal data.
Investor relations and marketing departments aren’t the only ones holding onto personal investor data. “Traders can hold onto personal data on their smart phones or other digital devices,” says Bollenbacher.
Even if they can’t find any information on European retail investors within their walls, US asset managers could still be stuck complying with GDPR. The regulation governs not only the firm holding or controlling personal data but the data itself, even if is held by a third-party transfer agent or administrator. The US asset manager might have to agree that the data would be protected under GDPR if it were to be transferred from Europe to the US for any reason.
For US asset managers that decide to comply with GDPR, figuring out their responsibilities will be won’t be easy. They will need to know whether they fall under the category of data controllers or data processors. Data controllers — or those that control data– have far more work to do than data processors who hold data but don’t control it.
“US asset managers will often be data controllers, but in some cases they may be co-data controllers or even processors depending on the specific business processes involved,” says Corcione. “Fund managers that do their own fund administration or shareholder recordkeeping work will be defined as both data controllers and data processors.” Fund administrators and transfer agents could fall under the category of either data controllers or data processors while cloud providers will likely fall only under the category of data processors.
US asset managers and their service providers will likely need to change the terms of their contracts to take into account who is legally and financially responsible for meeting the rules of the GDPR. “Data processors will also have to keep records of their agreements with data controllers and retain proof they are dealing with the data as specified under the GDPR section of their contracts,” says Paul Sinthunont, an analyst at research firm Aite Group in London. “The agreements need to include the type, purpose and duration of data processing, the types of personal data, the rights and obligations of the data controllers, and the requirements to delete data.”
What to Do
Complying with GDPR as a data controller means more than just keeping customer data safe from hacking. It involves maintaining a manual of policies and procedures surrounding what data is considered personal data, how it is collected, how it is used, and how investors can have their data deleted if they wish. In addition, the data can also only be stored for no longer than necessary and only be used for what it was originally collected.
What all that boils down to is that the US asset manager will first need to complete a rigorous data mapping exercise. “Many firms still face multiple silos of data in multiple business units across their organization,” says Sinthunont. “It would be advisable to appoint privacy champions within different business units to help build a culture around employee management of personal data in a similar manner to data stewardship or governance.”
Technology can help. US asset managers can build or license platforms to find where investors’ personal data is stored and to keep a central inventory. They can also have a system in place that records how they use the data to justify their rationale for holding onto the data, says Sinthunont.
When it comes to informing investors about GDPR, US asset managers will need to review all of their key disclosure documents, including websites, to determine whether they include a clear explanation of investor rights. “Given that subscription documents already contain a US data privacy notice it also may be beneficial to include a GDPR privacy notice where the subscription documents are to be used by European investors,” says Goldstein.
Of course, US asset managers also need to create a policy on how data is stored and destroyed when no longer needed, how to prevent a data breach and how to notify regulators of a data breach within 72 hours even while an internal investigation is still underway. Call center employees must be trained to know what to tell investors about GDPR and what to do when asked to delete data.
Data Privacy Officers
Who should be in charge of all that work to comply with GDPR? The regulation refers to a data privacy officer, yet not all US asset managers will need to appoint one. The role will only apply to those who conduct a “systematic monitoring” of European retail investors or those who process a lot of sensitive personal data.
The GDPR also doesn’t define who should be selected as the DPO, but it does suggest who shouldn’t. “US asset managers who decide to appoint DPOs must have those roles independent from the technology or marketing departments,” says Joanna Fields, a managing principle at Aplomb Strategies, a New York consultancy specializing in regulatory compliance. “The job title will likely fall to someone in either the legal or audit departments who also has knowledge of technology.”
Finding a DPO with such a huge skill set who must supervise policies and procedures for so many departments — investor relations, marketing, IT and compliance to name a few — won’t be easy and will cost plenty. Therefore, only asset managers with a large pool of European investors will likely appoint dedicated DPOs. Those with a small to mid-sized European base, says Fields, will either outsource the function to consultancies or cloud providers or delegate the DPO’s responsibilities to an existing compliance or legal expert.
One of the most difficult aspects of complying with GDPR may be knowing when to delete customer data. Erasing an investor’s data will be an easy enough decision to make when the investor decides to sell its shares. The compliance department would have to contact the IT department to track down where the data is held and then instruct its erasure. If the data is held at a third-party firm, that firm would also need to be notified to delete the data and provide some certification the job was done.
However, there could be times when the firm must inform an investor that it has to hold the data longer for regulatory purposes. What if the customer wants to delete data because he or she is afraid of being caught for money laundering or other illegal activities? Fortunately, the “right to be forgotten” isn’t absolute. “Compliance departments will end up having to create new policies to review each request to delete and determine whether the activity of the investor is suspicious before deleting,” says Bollenbacher. “The asset manager may be forced to hold off on deleting while an investigation takes place and could ultimately refuse to delete the information.” Knowing what to tell the investor could become tricky. No one wants to tip off a potential criminal.
For US asset managers that are already complying with existing data privacy standards such as ISO 27001 or the recommendations of the National Institute of Standards and Technology, dealing with GDPR will be a lot easier than for those that don’t, predicts Corcione. However, even the most legally savvy US asset managers will have their work cut out for them because GDPR is about more than data protection. It involves establishing investor rights and transparency about how data is handled.