11.22.2017

GDPR: Ready or Not, Here it Comes

11.22.2017

By Michael Corcione, Managing Director, Cybersecurity and Data Protection Consulting Services, Cordium

Michael Corcione, Cordium

The incoming General Data Protection Regulation may be an EU initiative, but it is having a worldwide impact. The new rules have a significant extraterritorial reach, so that any organization that services or controls the data of European Union residents, regardless of where the company is located, must comply.

Investment firms that are not already preparing for these new rules need to put a program in place urgently. GDPR goes live in May 2018 – and punishment for non-compliance will be severe, with fines of up to €20 million or 4% of annual turnover.

GDPR contains a tough set of data privacy and security requirements – spanning 99 articles and 173 recitals. This provides an enormous amount of regulatory detail, but key requirements include:

• Consent – To be able to process Personally Identifiable Information (PII), investment firms must ask for and receive consent from the EU citizens they are engaging with. That consent must be “freely given, specific, informed and unambiguous.”

• Understanding – Individuals have the right to know if an investment firm is holding their PII and what PII it has. The individual also has the right to have that data rectified if it is inaccurate, and erased.

• Erasure – The new GDPR creates a right for PII to be removed at the request of the individual, known as the “right to be forgotten.”

• Portability – Individuals have the right to obtain and reuse their personal data for their own purposes across different services. This rule enables individuals to move, copy or transfer personal data easily and securely.

• Product creation – The new rule contains a requirement for “privacy by design”, which means that all GDPR requirements must be built into products, projects, processes and systems from the point of their creation, rather than being added on later.

• Pseudonymization – Investment firms that wish to analyse customer data for trends and other insights must pseudonymize it first, to ensure the core data protection rules at the heart of the GDPR are not violated.

• Data Protection Officer (DPO) – Investment firms whose work involves the “regular and systematic monitoring of data subjects on a large scale” or extensive processing of “special categories of personal data” (such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sexual orientation, etc.) will have to appoint a DPO. Organizations are allowed to appoint a third party to serve as the DPO.

• Broader liability – Organizations that act as data processors now fall within the EU’s PII regime, not just those who perform data controller functions. As well, the definition of what constitutes a data breach is much wider.

• Notifications – Investment firms must notify a supervisory authority “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” In addition, “When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.”

UK-based firms should review their existing information security and data protection framework with a view to GDPR compliance – the government has confirmed that this will be implemented in spite of Brexit. Although the GDPR builds on a pre-existing legislation, many elements are new and it is a regulation, not a directive.

Firms need to perform a readiness assessment – a process that will tease out the “real world” requirements which align with the specific articles for GDPR. The completed assessment will generate a gap analysis that reveal the firm’s deficiencies in its current policies, procedures, and controls. Finally, the firm needs to decide how it will bridge those gaps – with new policies, procedures, and technology solutions.

Investment firms not within the EU need to review whether or not they fall under the GDPR – if they market products to EU citizens then the chances are that they probably do. The good news is that in some jurisdictions, such as the US, firms that are compliant with existing data protection regimes – such as ISO 27001 or the National Institute of Standards and Technology (NIST) framework – should already have made some progress towards GDPR compliance. However, firms still need to perform a gap analysis to understand the areas in which they need to implement additional policies, procedures, and controls.

All firms who need to comply with the GDPR – no matter where they are located – should consider incorporating its requirements into their overall information and cyber security strategy. By doing this, the firm will benefit from tighter data controls, operations, and a stronger information and cyber security program. The new regulation can provide the internal momentum for investment in key tools and solutions that will not just deliver compliance, but also strategic value for the organization overall.

Markets Media Follow

Digital publisher covering trading & technology in capital markets. @marketsmedia @traders_tweets @FIXGlobalOnline @TheBondDesk @BestExecution @DerivSource

Markets Media @marketsmedia ·

13 Sep

As Technology Evolves, Asset Managers Adapt and Innovate

Reply on Twitter 1702005834081821046 Retweet on Twitter 1702005834081821046 Like on Twitter 1702005834081821046 3 Twitter 1702005834081821046

Markets Media @marketsmedia ·

13 Sep

Citi Changes Organizational Structure

Reply on Twitter 1701949103419048274 Retweet on Twitter 1701949103419048274 Like on Twitter 1701949103419048274 Twitter 1701949103419048274

Markets Media @marketsmedia ·

13 Sep

SEC Charges Virtu for Disclosures Relating to Information Barriers

Reply on Twitter 1701875573344157802 Retweet on Twitter 1701875573344157802 Like on Twitter 1701875573344157802 Twitter 1701875573344157802

Markets Media @marketsmedia ·

13 Sep

ICE Futures Singapore Partners with CoinDesk Indices

Reply on Twitter 1701870991540895961 Retweet on Twitter 1701870991540895961 Like on Twitter 1701870991540895961 Twitter 1701870991540895961

From The Markets

Study: 93% of Companies Won't Meet GDPR Deadline

Approximately a third of firms require substantial changes to their data security practices.

05.24.2018 By Rob Daly , Editor-at-Large
From The Markets

Majority of Industry to Miss GDPR Deadline

Only 1 in 50 firms have finished their preparations.

04.25.2018 By Rob Daly , Editor-at-Large
Latest News

Firms Play Regulatory Odds on GDPR

Outsourcing regulatory responsibility is not an option.

04.16.2018 By Rob Daly , Editor-at-Large
Latest News

US Firms Not Ready for GDPR

Fewer than one in ten are prepared for the EU regulation's May deadline.

04.03.2018 By Rob Daly , Editor-at-Large
From The Markets

NEX Regulatory Reporting Launches Identifier Service

The short code provides a secure data repository for personal information.

02.13.2018 By Shanny Basar , Senior Writer

Want the latest news on securities markets -- FREE?

GDPR: Ready or Not, Here it Comes

NEWSLETTER SIGN UP

Related articles

Study: 93% of Companies Won't Meet GDPR Deadline

Majority of Industry to Miss GDPR Deadline

Firms Play Regulatory Odds on GDPR

US Firms Not Ready for GDPR

NEX Regulatory Reporting Launches Identifier Service