Spring Lunch Series Recap: General Data Protection Regulation (GDPR)
By George Ralph, Managing Director, RFA
Last month, we hosted our second annual spring lunch series at Claridge’s in Mayfair, London. This year’s series was focused on several of the regulations currently affecting the European financial services sector. Some of the regulations, such as MiFID II, are about to be introduced, whilst others, such as AIFMD, have been around for some time, but have continued to cause challenges for hedge fund managers. Over the next several blog posts, I will be delving into each regulation and what it means for your business. To follow last week’s post on AIFMD, this week I will be covering everything you need to know about the General Data Protection Regulation, also known as GDPR.
The purpose of the General Data Protection Regulation (GDPR) is to replace the 1995 data protection directive. The original directive was deemed no longer relevant due to its inability to address the needs of today’s cyber focused world. GDPR is due to enter into full force in 2017, and intends to strengthen and unify data protection for individuals within the European Union as well as address to issue of transferring personal data outside the EU. Its primary aim is to provide citizens more control over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
The GDPR is a European regulation, but any firm that provides goods or services to a customer in the EU must comply. Compliance with the GDPR means that firms must:
- Inform the individual that their data will be collected and what it will be used for.
- Keep personal data for a limited time only, erasing or reviewing the data at the end of the allocated time period.
- Inform individuals of the risks, rules, safeguards and rights in relation to the processing of their data.
- Put a process in place for individuals to request access to their data, make changes or withdraw consent to use the data at any time.
- Ensure that any external data processors, such as a cloud services partner, must meet all the regulations concerning the security of the data.
- Notify individuals of a data breach, where the data is un-encrypted, within 72 hours.
- Appoint a data protection officer to ensure compliance, if employees are over 250, or customers exceed 5000 within 12 months.
For hedge funds and alternative investment firms, who have a requirement to collect personal data to adhere to money laundering regulations and guidance on investor suitability for the different vehicles that a firm offers, the GDPR will prove challenging because it allows huge fines to be levied for non-compliance. Several attendees at our spring lunch series expressed confusion and concern over this recent regulation, with many saying that they did not fully understand the requirements of the regulation. Additionally, a majority of attendees expressed that they would be looking to their in-house CTO or Compliance Officer to lead on the implementation of a data protection strategy that meets the regulations, in addition to external consultants and partners.