One such stringent regulation, the General Data Protection Regulation (GDPR) has been created to replace the 1995 data protection directive, which is no longer fit for purpose in today’s cyber world. When it is brought into force in 2017, the GDPR intends to strengthen and unify data protection for individuals within the European Union and also addresses the issue of exporting personal data outside the EU. The primary objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
Whilst the GDPR is a European regulation, any firm that provides goods or services to a customer in the EU must comply. Compliance with the GDPR means that firms must:
- Inform the individual that their data will be collected and what it will be used for.
- Keep personal data for a limited time only, erasing or reviewing the data at the end of the allocated time period.
- Inform individuals of the risks, rules, safeguards and rights in relation to the processing of their data.
- Put a process in place for individuals to request access to their data, make changes or withdraw consent to use the data at any time.
- Ensure that any external data processors, such as a cloud services partner, must meet all the regulations concerning the security of the data.
- Notify individuals of a data breach, where the data is unencrypted, within 72 hours.
- Appoint a data protection officer to ensure compliance, if employees are over 250, or customers exceed 5000 within 12 months.
For hedge funds and alternative investment firms, who have a requirement to collect personal data to adhere to money laundering regulations and guidance on investor suitability for the different vehicles that a firm offers, the GDPR will prove onerous. In addition, it allows huge fines to be levied for non-compliance, so has a real bite. A recent survey by cybersecurity vendor, FireEye found that 58% of respondents across firms in the EU were concerned about potential non-compliance fines.
Worryingly, the same survey found that only 60% of respondents in the UK felt that their organisation fully understood the requirements of the regulation. Whilst many firms will look to their in-house CTO or Compliance Officer to lead on the implementation of a data protection strategy that meets the regulations, some may be looking to external consultants or partners to fill a knowledge or skills gap.
The good news for firms is that often by encrypting, tokenising or pseudo-anonymising data, they will be meeting the regulation’s strict expectations of what constitutes adequate data protection. If there is data loss, if they encryption key is kept safe then the regulators should be happy.
If you’re unsure about the GDPR and how it might affect your firm, don’t hesitate, time is running out to put measures in place, act and do it quickly.