Louvre Group Welcomes a New Era for Data Protection
It’s hard to escape the constant reminders of the looming deadline for the new European Union General Data Protection Regulation (EU GDPR).
As the cut off point for compliance draws closer, organisations are under increasing pressure to get their data processes in order.
David McGall, Louvre Fund Services Head of Corporate Services & Company Secretary, gives an overview of some of the key implications of GPDR for Louvre, its clients and colleagues.
Getting Ahead of the Game
The world of data collection and data usage has changed beyond all recognition over the last 10 years and an overhaul in regulation to protect consumer rights has been long overdue.
GDPR will come into effect on 25 May 2018 and, as a well-established, entrepreneurial owner-managed business, we’ve been getting ahead of that law change for some time.
It is important to remember that any organisation, like Louvre Group, that is located outside of the EU but wanting to offer services to European based clients, will need to comply with the European directive.
1. Definitions of Personal Data
Within EU GDPR, definitions of what personal data is, how it can be processed and exactly what a personal data breach is, are now more clearly outlined.
Financial services businesses like Louvre must ensure that the personal data processed and controlled by them has been identified and that a thorough data mapping exercise and impact assessment has been undertaken.
Controller & Processor
It’s also important to identify when businesses act as a ‘controller’ or ‘processor’. Each role has different responsibilities under the new laws and will be subject to the financial penalties of the relevant jurisdiction, or jurisdictions, in the event of a breach.
This point needs to be clearly communicated with a company’s clients at the earliest opportunity, in order to ensure that roles and responsibilities have been defined, as they will invariably require some level of support when setting the own relevant policies, procedures and controls associated with their respective role.
Personal data definitions will include information on any person who can be identified by name to an identifier, such as an identification number, or to one or more factors specific to their identity. There are special data categories that need to be considered, including religion and ethnic origin, which could be commonly asked on a company’s terms of business.
Everyday administration tasks, such as board minutes, will also be treated as personal data and the permissions process of how that information is used and shared needs to be carefully considered.
Data subjects also have the right to be forgotten and implement ‘Information Access Requests’.
While certainly not a new concept, the processes around these requests have been heightened and the timeframe for compliance reduced.
Clients and customers have always had the right to ask what personal data is being held by that company and to have it erased from an organisation’s files, but EU GDPR has much more stringent guidance regarding how this should be done.
2. Accountability for Data
Companies should be protecting all personal data wherever possible by ‘design and by default’.
This means acting in the best interest of clients and investors when acquiring and managing data by:
- Ensuring that internal controls adhere to the new data protection principles;
- Enhancing any safeguards that are currently in place with adequate monitoring;
- Ring-fencing personal data from areas of the business that are not required to process that data;
- Limiting access to those who specifically need it in order to carry out their roles and responsibilities.
It is also strongly advised that businesses must undertake a data mapping exercise to truly understand how personal data is processed and stored by that company.
These data flow audits must be regularly reviewed and updated to ensure they stay current and are tested.
An essential part of this exercise is to introduce a data retention policy that will ensure the client’s personal data is not held longer than required, reducing the risk of breaches and litigation.
Crucially, the data controller and processor must show that appropriate data security is in place in order to adequately protect the data subject.
For example, a key challenge for long-standing trusts will be justifying the possession of historic documentation that could contravene with the directive’s order that personal data and physical documents should not be held longer than necessary.
3. Greater Transparency
An individual must be made aware that their personal data is being held and give consent to how it will be used.
They have the right to know:
- The nature of the personal data being held on file by an organisation; and
- For what purposes that data is being used.
It is important to note that there is no longer any implied consent; the data subject’s consent must be explicitly given for a defined data usage.
With increased transparency comes a greater level of trust that leads to better client relationships.
Here at Louvre, we encourage all of our clients to review
the disclosures and wording of their investor take-on forms and respective prospectus documentation and also to ensure that their website Privacy Notice is easily discernible, client focused and current.
In the case of a data breach, it will be critical to show the policies and processes a company has had in place in order to react appropriately to this scenario within the specified timeframe, and to ensure that all employees have been appropriately trained in dealing with a potential breach and how to escalate it.
Whilst a business may not be held responsible for third-party failures in the event of a breach, it’s crucial to know that the organisations you are doing business with are doing all that is required to comply with GDPR and contractual obligations are clearly set out and have been reviewed and updated.
Failure to do so will certainly leave a company open to scrutiny and potential accountability.
4. Data Security and Reporting
As many of us in the finance industry will know, cyber attacks are now a daily occurrence. The lure of this type of crime has increased dramatically thanks to its lucrative nature.
In an ever-changing world so heavily reliant on mobile technology and electronic connectivity, no business can be fully immune to some level of cyber attack.
Companies face a daily battle to stay on top of current system and software updates in order to be ready to defend their own IP and their clients’ personal data, and to ensure the appropriate framework is in place to respond to these attacks.
As a consequence, GDPR requires any organisation to report a data breach to their local data regulator within 72 hours and to make sure that those affected are notified.
The GDPR Advantage
Much of the noise around GDPR has been focused on the size of the fines a company might face for breaching the regulations.
While 4% of annual group turnover or €20 million is certainly attention grabbing, behind the headlines there are many positives.
For clients, the advantages include:
- Clients will know exactly what data is being used, and will have to give permission for specified usage and how it is stored;
- Greater scrutiny on privacy and data security. Cyber attacks aside, GDPR will help to ensure companies better understand how they manage personal data and to put in a framework to ensure they are doing their best to protect their clients’ and employees’ information from misuse;
- Good data protection practices will become the norm rather than the exception and industry will have data protection at the forefront of any services they provide;
- Information will be shared and protected in the most efficient and safe way possible; and
- Board security will be improved and it will become easier for directors spread over multiple jurisdictions to access their data in a secure environment.
Guernsey - A ‘Quality Mark’ Jurisdiction
As a jurisdiction, Guernsey is well known for its forward-thinking approach to regulation and transparency.
Clients come to Guernsey in order to carry out business in a jurisdiction that has established itself as safe, well regulated and experienced.
The introduction of the Guernsey Data Protection (Bailiwick of Guernsey) Law 2017 and the Island’s close association with EU GDPR, reinforces the attraction for doing business here.
Louvre Group’s Compliance
Over the last 12 months, Louvre has introduced new systems for client on-boarding and customer due diligence process, focusing on building a framework around how we receive and process personal information and client data.
We are well on our way to ensuring that we have identified the key areas of concern to ensure that we continue to provide the highest standard of service and value to our clients while maintaining the highest possible standards of data integrity and information security for our clients and stakeholders.
For more information about Louvre’ Group’s response to GDPR, please contact David McGall on email@example.com or call +44 (0) 1481 727 249