Financial firms are expanding their data arsenals to gain a competitive edge and are turning towards more unconventional sources of information to inform their decision-making. But, to what extent are these firms also increasing their regulatory risk by accessing and maintaining new forms of data from sources that contain personal information such as social posts and credit card transactions?
Key insights
- While only 91 GDPR fines have been levied so far, that figure is expected to rise as regulators clear a backlog of breach notifications
- The largest fines levied for GDPR-related offences have resulted from inadequate transparency over how data is stored and processed
- Asset managers are required to assess how their own operations comply with GDPR, as well third-party vendors
The General Data Protection Regulation (GDPR) was implemented by the European Union in May 2018. This landmark regulation has compelled firms that handle or process data to reassess the way they safeguard that data. The new rules also mandate organizations to report exposures of personal data to national protection regulators, as well as to the affected individuals, within 72 hours after they become aware of such breaches. The fines for non-compliance can be significant, potentially running up to EUR 20 million or four percent of annual global turnover, whichever is higher.
Data suggests that under the risk of high sanctions many asset management firms have revised their data policies to ensure compliance with GDPR. According to a survey conducted by IT and networking conglomerate Cisco, 59 percent of companies report they are meeting all or most of GDPR’s requirements, and a further 29 percent expect to be compliant within a year.1 Some of the significant challenges identified by the asset management industry include vetting the compliance of third-party vendors and securing data in a compliant manner, but the most pressing matter for most funds has been to train employees on how to appropriately respond to breaches.
Responding promptly to data breaches has become a priority for asset managers
More than 59,000 data breaches have been reported to European data protection authorities since GDPR came into effect last year, according to a survey conducted by global law firm DLA Piper.2 The country with the most reported breaches is the Netherlands with over 15,000, while Germany is second with more than 12,500 and the United Kingdom third with 10,600 reports.3
Ross McKean, partner at DLA Piper, said “GDPR completely changes the compliance risk for organizations which suffer a personal data breach due to revenue based fines and the potential for US-style group litigation claims for compensation. As we saw in the US when mandatory breach notification laws came into force, backed up by tough sanctions for not notifying, the GDPR is driving personal data breaches out into the open.”4
Some of the significant challenges identified by the asset management industry include vetting the compliance of third-party vendors and securing data in a compliant manner, but the most pressing matter for most funds has been to train employees on how to appropriately respond to breaches
Asset management firms are no exception to the mandatory breach notification laws and regulators have cautioned that failure to adequately notify authorities and data subjects of breaches will be met with severe fines. So far, however, the number of fines imposed remains low. To date, just 91 fines have been levied by regulators in relation to GDPR-related offences, but this figure is expected to rise significantly as regulators clear the backlog of notifications they have received since the legislation was introduced.
Funds are now required to meet levels of data transparency
Data breaches may have become much more commonly reported since the introduction of GDPR, but the largest fines levied so far have been reserved for companies that fail to respect the consent of their users or inform them how their data is used. In January 2019, Google was fined EUR 50 million by CNIL, the French data protection watchdog.5 The regulator ruled the search giant inadequately informed users about why their data is collected, how it is used, and how long it is stored.
“The ruling against Google is a reminder that financial market participants must be careful in how they handle the personal data of their employees and their customers. The terms of GDPR require that all funds sufficiently notify clients, staff and investors where their data is being processed, by whom, and for what purpose,” explains Wendy Phillis, Managing Director, Regulatory Solutions at RBC Investor & Treasury Services.
Since alternative data is a relatively new trend, fund managers should be aware that regulations and accepted practices governing their use are still in the early stages of maturity
Firms holding personal data must take steps to ensure that it is stored in a way that meets the regulator’s “privacy by design” criteria. Authorities must be convinced that measures were taken to ensure that personal information was recorded in a way that was intended to be confidential from the offset. In Germany, for example, a EUR 20,000 fine was imposed on a chat platform for storing user passwords as unencrypted plain text.6
Over-reliance on third-party data vendors and processors can increase regulatory risk
In addition to records of staff, customers, and investors, the vast majority of asset managers also handle personal information as part of datasets that are used in investment decisions. The market for alternative data is thriving, with Deloitte estimating that spending by trading and asset management firms may exceed USD 7 billion by 2020.7
Since alternative data is a relatively new trend, fund managers should be aware that regulations and accepted practices governing their use are still in the early stages of maturity. There have not yet been any cases of firms being fined under GDPR for handling alternative data from third parties. The legislation does, however, stipulate that firms are responsible for ensuring that data obtained or transferred to third-party vendors is compliant with GDPR.
As alternative data becomes increasingly integral to the work of asset managers, firms should stay up to date with the latest GDPR guidance being issued by regulators. The penalties levied for a privacy breach could far outweigh the potential gains obtained from non-GDPR compliant data.