London Brussels Paris

Today New City Initiative is comprised of 53 leading independent asset management firms from the UK and the Continent, managing approximately £400 billion and employing several thousand people.

« Back to News

GDPR

GDPR

2018 is likely to be a fairly difficult year from a regulatory perspective for asset managers. Sandwiched between Brexit planning and Markets in Financial Instruments Directive II (MiFID II) compliance lies the General Data Protection Regulation (GDPR). GDPR will become EU-wide law in May 2018 yet many in the asset management world have not given it due priority. This is ill-advised.

As the name would suggest, GDPR demands companies (of which asset managers are included) make material improvements around how they manage data on behalf of customers and employees within the EU. A failure to do this properly could result in a fine of up to 20 million euros or 4% of global turnover. GDPR should, however, not be viewed as a radical new change but rather a strengthening of already robust data protection laws.

So what does it mean? Firstly, asset managers need to ensure their customers consent fully to their data being used on a “purpose by purpose basis, using clear and plain language, in circumstances where, in order to be valid, the consent must be an unambiguous indication of the individual’s wishes, by a statement or clear and affirmative action, and individuals must be informed they may withdraw their consent at any time.”[1]

In short, consent must be obtained if customer data is used for purposes of analytics, distribution to third parties and marketing or anything else. Anyone who has attended a Fund Forum over last two years will attest that big data – has been high on the agenda as managers look for increasingly innovative means by which to sell the correct products to customers. Such analytics may involve managers scrutinising the economic wellbeing or buying trends of clients, among other factors.  

GDPR will not be the end of big data, but it will force organisations to be more circumspect about how they use it. Managers and their service providers will have to redouble efforts to ensure that personal data is not processed for any other reason than what it was intended for; and that it is not excessive. The situation could be quite complex as GDPR applies to data that has already been collected. Getting permission from clients to process this backdated information may be challenging.

GDPR also sets out a formalised framework for organisations to notify the authorities of any data breaches, while the rules stipulate firms should have robust security measures in place to prevent such violations from happening. Unfortunately, some breaches are completely unavoidable, but regulators will assess if firms have had lapses in their data protection processes and security measures, and fines may be issued as a result.

In addition, GDPR mandates organisations with a headcount of more than 250 people appoint a chief data officer, a threshold which exempts nearly all boutiques. Despite this, smaller managers should ensure an existing, qualified employee has a remit for data protection, a provision recommended in GDPR.

So what do asset managers need to do? To begin with, they need to identify where client data is held, before they start implementing processes around aggregation and collection. From here, gap analysis can be conducted, and subsequent documentation of processes and procedures drawn up. Any service providers hosting sensitive client data should be scrutinised by the manager to ensure their systems are sufficiently protected and compliant. Equally, any shortfalls in cyber-security needs to be remedied immediately.

The nxt twelve months are going to be a busy time for asset managers, and it is crucial they start taking GDPR preparations seriously.


[1] http://www.matheson.com/images/uploads/documents/GDPR_in_Context_-_Impacts_on_the_Asset_Management_Industry.pdf