In the first week of May Intertrust and HFM hosted a breakfast briefing discussion and networking event for Boston fund managers on the impact of the EU's General Data Protection Regulation (GDPR) on US investment managers. The panel discussed various aspects of the new regulations including the basics of GDPR, PII (personally identifiable information) and most importantly, what practical action should be taken to ensure compliance. Let's take a look at the top tips learned and the most common pit falls to avoid.

The panel opened by asking who in the room was comfortable with their obligations under GDPR. Following a low show of hands they summarised the key aspects of GDPR to set the scene;

The new rules have been implemented to modernise and harmonise data privacy laws across the EU. Importantly it places the control of personal data back with individual. These rights include the right of access to the information and rectification of errors. The rights to data portability, and importantly, the rights to restrict processing, objection and deletion of data.

The panel went on to discuss the practical considerations of implementing an internal GDPR regime and we summarise their top tips below;

Consider of how you might be captured by GDPR

  1. Think internally: What activities do you perform as an organisation which require you to hold PII on EU citizens? Some examples include employee curriculum vitaes, references for applicants for roles, and similar data on former employees
  2. Think client facing: Some examples include your marketing database, AML on counterparties and additionally whether your service providers are GDPR compliant

The PII you didn't know you have (which can sink you anyway)  

It's important to understand what is covered by PII and why you should be holding it

  1. Personally identifiable information is any data that could potentially identify a specific individual. This means any information which can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered PII - this is far reaching! Some examples include basic data like names and email addresses all the way to highly sensitive data including social security numbers, bank account details, photographs and biometric data.
  2. In order to hold PII you must have a valid lawful reason; consensual, contractual, legal obligation or less commonly, vital interest (protecting a life), public interest and legitimate interest (a governmental body requires it).

Getting ready for GDPR

It is important to put a plan in place even if the plan is not fully realised by 25 May 2018. Authorities are much more likely to take a pragmatic approach to organisations which have a plan and can demonstrate progress than firms who have done nothing.

So how do you get ready?

  1. Map your data. Perform an analysis of the data you hold, where it is stored, how it is stored, what it is used for, how and by whom it is accessed and whether it is shared. Data is everywhere!
  2. Prepare a data control plan using your map. Bring all PII on system, review access rights to PII, consider what PII and/or processing thereof is not required or justified.
  3. Vendor analysis: As a controller of data you will need to map all vendors, risk rate each and work with counsel to re-paper agreements ranked by risk, to include the necessary GDPR updates.
  4. Cybersecurity updates to prioritise the controls and processes around PII. Do not forget about archived data such as historical back-up tapes and the security around them.
  5. Prepare a training plan for the ongoing education of employees. Consider whether some employees handle more sensitive PII, such as your HR or finance teams, and develop the training with a risk-based approach in mind.
  6. Prepare and document your policies and procedures. Ensure the procedures and training include what to do in the event of a breach and the reporting process.

Common misconceptions and pitfalls - and how to avoid them.

Don't assume GDPR does not apply to your business.

Assuming the rules are only applicable to Google and Facebook and not US fund managers without EU individual investors is risky. GDPR is certainly more focused on the likes of Google and Facebook but it captures any company with PII on EU citizens.  For example your marketing database may include email addresses of EU citizens or your US contacts may carry dual nationality.

Over-reliance on existing strong cybersecurity procedures and infrastructure

The US regulators have been banging the cybersecurity drum for a number of years and we have certainly seen a vast improvement in all aspects of cybersecurity across the industry. It is still recommended to review your cybersecurity policies and tighten them to include GDPR.

Reliance on reverse solicitation for EU investors coming into the fund

Whilst we have seen some legal advice recommending that reverse solicitation is legitimate consent for data usage, the actual article (3) of GDPR looks at whether you are offering goods and services into the EU. If your offering and marketing documents contain wording for EU based investors or you have an EU wrapper, then that might be enough.

Deletion of data per GDPR rules

The right of an individual to be deleted will sometimes be at odds with other laws such as local AML retention rules. If there is a separate legal obligation to hold the PII data then you must do so.

Start mapping your data and vendors as soon as possible

In conclusion the panel agreed that US fund managers should not assume they aren't captured by GDPR and should take the appropriate steps towards having a defensible position in place by 25 May 2018. Whilst the expectation is that in the absence of a serious breach, the authorities would not be knuckling down from day-one, firms without a plan run a serious GDPR risk, a risk for which there is no potential upside to non-compliance.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.