Working with the finances of their clients, fund managers have long been subject to rigorous data privacy regulations. However, from May 25th onwards, the new EU-wide General Data Protection Regulation (GDPR) will require changes in the processes also in the fund management industry. In this short article we will summarize the key points of the new regulation, and discuss the most important factors to take into account when getting ready for the upcoming implementation of the GDPR.
GDPR – Key points for a marketing officer
The GDPR is a regulation that was created to increase the privacy of EU citizens. The rules apply to all companies working with the data of EU citizens, thus also to companies not based or physically present within the European Union. Though complex, the most important and relevant parts of the new regulation are the following:
1. Requirement for explicit agreement for contacting
Companies will be required to ask for explicit permission to contact consumers. This permission needs to be based on transparent information – the consumer should know which purpose his or her data will be used for.
2. Being able to show all data from one individual when asked
Consumers are guaranteed the right to request all their personal data that a company has stored. This data is connected to the individual, meaning that companies need to be able to identify data coming from the same person regardless of the source of the data.
3. Consumers have the right to request the deletion of all their private data
The GDPR guarantees consumers the right to request a company to delete all their private data. This, again, requires companies to have the ability to quickly and efficiently identify all data originating from the same individual.
4. Being able to demonstrate processes that ensure compliance with the new regulation
Finally, companies must be able to demonstrate compliance with the new regulation when requested. Processes and procedures need to be in place – it is not enough to simply comply.
Steps towards compliance
The following steps can help you check the situation of your organization, regardless of whether you are already well-prepared for May 25th or still busy understanding the situation and creating processes.
1. Create an interdepartmental project team
Fund managers gather personal data in various different ways. Prospects may be identified when they enter a website, sign up for a newsletter, download brochures or attend events. Information is often also provided by third parties specializing in lead generation. There are many additional data entry points, which are often spread across various departments and teams. Create interdepartmental understanding of where the data comes from, how it is stored, and what is required to connect the data points ensuring tracking data back to the individual it relates to.
2. Discuss with your software suppliers
Do not simply expect your software to be compliant with the new regulations – talk with your software suppliers and understand how they help you with the new requirements, or what you still need to do to ensure compliance.
3. Document the processes and procedures
Create clear documentation that explains the processes and systems in place to ensure compliance. Assign responsibilities. This documentation is not only crucial for compliance with the GDPR, but also helps share knowledge across the organization. Do not forget to think about the format for exporting data – you should provide the data to requesting consumers in a legible, understandable format.
4. Check the necessity for a Data Protection Officer
The GDPR regulation requires you to ensure that sufficient staff has been appointed to take care of compliance with the regulation. Appointing a Data Protection Officer (DPO), who centrally is responsible for up-to-date knowledge and the processes related to GDPR, can be a good idea for any organization. However, if you are regularly and systematically monitoring large scale data of individuals or dealing with certain categories of special data, this is even mandated by the new regulation.
And the risk of not complying? The maximum fine is 4% of worldwide annual revenue or 20 million euros – avoiding this is well worth the investment now.
Vincent Hooplot & Michiel Breeschoten