GDPR Is Here: Are You Ready?

Author: NICSA

The General Data Protect Regulation (GDPR), in effect on May 25, has impacted funds, distributors, administrators and depositaries that come in contract with personal data of EU citizens, regardless of where they are based.

NICSA members received details about the regulation, industry obligations and other practical guidance during a recent #WebinarWednesday session moderated by Nitin Pandey, Senior Manager, Risk and Financial Advisory, Deloitte & Touche LLP. The panel featured esteemed experts from Crestbridge Luxembourg, DLA Piper Luxembourgand Northern Trust. (NICSA members may replay an archive of the webinar here).

Olivier Reisch, Partner, DLA Piper Luxembourg, shared his perspective as co-chair of ALFI’s GDPR Working Group, which kicked off Sept. 2017. The group’s 60 attendees focused on considerations of various stakeholders — including management companies, TAs, custodians, lawyers and consultants —during 2-3 hour meetings over a few months before compiling a draft of the ALFI GDPR Q&A document.

“We had the privilege of meeting with the Luxembourg data protection regulator, the CNPD, at the end of February this year, where the chairs were able to get excellent feedback on the Q&A,” Reisch said. “This led them to the publication of Issue 1 of the ALFI GDPR Q&Aat the end of April, and currently we are working on the second issue. We still get a lot of questions from ALFI members on how exactly certain provisions of the GDPR should be construed.”

Maria Teresa Fulci de Rosée, Head of Legal and Compliance, Crestbridge Luxembourg, discussed Crestbridge’s GDPR compliance project. The risk-based approach begins with a readiness assessment test to chart the existing situation. “Then we run several risk assessment workshops by unit to evaluate the areas of major risk and establish a roadmap — a way to schedule the measures to be taken,” de Rosée said.

Jennifer Schack, Senior Vice President, Global Head of Privacy, Northern Trust, said her company’s global GDPR program also followed a risk-based approach built off of existing programs, saving time and easing buy-in.

Another consideration was building a comprehensive and appropriate training program. “It is unrealistic to ask every employee to understand the entirety of GDPR, GLBA, the Singapore Personal Data Protection Act or multiple other privacy regulations,” Schack said. “The principles that we built hold together all these regulations under a single umbrella, so employees know exactly how they need to apply data privacy within their impacted processes.”

CONTROLLER VS. PROCESSOR OBLIGATIONS
According to de Rosée, one of the main changes introduced with the new data protection legislation is the increased role of the processor.

“What the GDPR has actually achieved is to fill the gap between the controller and the processor to the point that I am honestly not sure that there is a real difference between the two — they are very much on the same level of responsibilities,” she said.

The processor is obligated to support the controller in some instances, for example, notifying the controller without undue delay after becoming aware of a personal data breach.

PRIVACY-ENABLING TECHNOLOGY
Though Schack said Northern Trust has always relied on technology for data loss prevention, they have leveraged a few new tools to ensure GDPR compliance.

“With GDPR, it was important for privacy to consider other technologies to appropriately operationalize our obligations surrounding records of processing, records management, data minimization and individual rights,” Schack said. “With that mind, we leveraged a few new technologies help us discover data.”

The first tool allowed Northern Trust to create data lineage across application databases to see a flow of personal data across various platforms. The second searches unstructured databases —

think network drives or sharepoint sites —to verify that appropriate security and care is being applied to those repositories.

“The overall objective with all of the tools that we use is that they are not just for privacy; they can be leveraged for information security, which is why we have a very close relationship with our information security team and we collaborate on a lot of areas, especially in the area of data discovery,” she said.

Reisch agreed that a number of tools are available for these purposes, including some which leverage artificial intelligence. In addition, CNPD has released its own GDPR Compliance Support Tool.

“There are absolutely tools on the market to support the exercise, but I wouldn’t say that in general they are widespread or systematically used — it’s still a bit in the innovation corner,” Reisch said.



Leave a Reply

NICSA: 8400 Westpark Drive, 2nd Floor McLean, VA 22102 • Tel: 508.485.1500 • Fax: 508.485.1560