[ U P D AT E ]
Fund managers
reporting mixed
readiness for
GDPR
FUND MANAGERS WHO ARE
ONLY JUST FIGURING OUT MI-
FID II APPEAR TO BE PARTICU-
LARLY BEHIND THE CURVE
WITH GDPR PREPAREDNESS.
A
few years back, a livid father from
Minneapolis stormed into his local
Target and berated the manager for sending
his teenage daughter coupons for their
pregnancy stock. The daughter – who was
expectant but had not yet told her family
– had been browsing Target’s pregnancy se-
lection, which was flagged by the company’s
customer tracking system leading to the
coupons being dispatched in the post to her
house and unsuspecting father.
Unfortunate stories like this have
convinced regulators that the license which
companies have to use customer data for
commercial purposes needs to be more
tightly controlled, and it is basis behind the
European Union’s (EU) General Data Protec-
tion Regulation (GDPR). GDPR is not a piece
of financial services regulation, but it will
bring about some significant changes in the
industry from May 2018.
GDPR compliance progress is seeming-
ly quite mixed across financial services,
according to industry experts. “Some firms
are better prepared and have been working
for longer on their GDPR compliance. We are
generally seeing a different range of pre-
paredness across different sizes of clients,”
said Wendy Phillis, head of governance and
regulatory solutions in Europe and APAC at
RBC I&TS.
Fund managers who are only now just
figuring out quite what the Markets in
Financial Instruments Directive II (MiFID
II) means for their businesses appear to be
particularly behind the curve. “Many finan-
cial institutions are still in the early stages
of GDPR compliance, mainly because a lot of
organisations have been busily implement-
ing MiFID II and certainly are at an earlier
stage than we would have anticipated given
the deadline.” said Mark Browne, partner at
law firm Dechert in Ireland.
GDPR is an enhancement of existing data
protection rules, and insists that financial
institutions must acquire consent from
consumers to use their data, and gives
people the right to be forgotten. GDPR also
requires organisations provide clients with a
comprehensive explanation as to what their
data rights are and how information is used.
GDPR also mandates organisations have
mechanisms in place to avert or manage
data breaches. “GDPR puts a lot of empha-
sis on ensuring companies have processes
and controls in place to protect data. In the
event of a breach, firms need to respond
quickly and robustly, in order to demon-
str ate to regulators that their processes are
solid,” commented Phillis.
Organisations are reinforcing their data
security in anticipation of GDPR, although
cyber-protection has been a long-standing
area of concern for banks.
Large organisations are in the midst of
recruiting chief data protection officers, a
newly created position under GDPR for firms
REMINDER:
GDPR comes into force on
25 May 2018
with more than 250 staff. “Major banks
have employed chief information security
officers and data protection officers for a
long time now so this requirement is fairly
straightforward,” said Phillis.
Getting GDPR wrong is an expensive mis-
take to make with fines of up to 20 million
euros or 4% of annual turnover. The UK
Financial Conduct Authority (FCA) reminded
financial institutions earlier this month of
their GDPR obligations, adding there were
no conflicts of interests between the latest
rules and FCA provisions around data pro-
cessing, an issue which several banks had
flagged previously.
Others feel there are arbitrages elsewhere
with GDPR. “There are some potential con-
flicts between GDPR and other regulations.
MiFID II, for example, requires financial in-
stitutions to record telephone calls and hold
that data for a prescribed period of time,
so marrying that requirement with GDPR
could be tricky albeit not insurmountable. A
key concern would be an inability to provide
for leeway outside the strict requirements
of the other legislation creating obligations
potentially conflicting with GDPR,” said
Browne.
Spring 2018
globalcustodian.com
15