General Data Protection Regulation Affects Investment Advisors with EU Clientele

The European Union (“EU”) recently enacted the General Data Protection Regulation (“GDPR”) which will take effect in May 2018. The GDPR is a sweeping regulatory regime designed to protect the personal data of EU residents (i.e. natural persons residing in the EU) and to give them control over their personal information. Although the regulations were enacted in the EU, any entity around the world that processes the personal data of EU residents is subject to the GDPR. In other words, any investment advisor with clients in the EU must comply with the GDPR.

Penalties for violating the GDPR can be quite punitive, with fines up to €20 million or four percent (4%) of an entity’s annual worldwide revenues. Given the wide reach and potential consequences of non-compliance, it is important that investment advisors with EU clients be aware of the GDPR’s requirements and have proper programs in place to adequately safeguard the data that falls within its ambit.

U.S. federal and state law requires businesses to safeguard the personal data of their clients. Under the Gramm-Leach Bliley Act, financial institutions must adopt security measures to safeguard client information (as with the GDPR, this requirement applies to clients who are natural persons). Pursuant to the Gramm-Leach Bliley Act, the SEC released Regulation S-P, which sets forth the privacy policies that an SEC registered investment advisor must adopt to adequately protect the non-public information of its clients (investment advisors not registered with the SEC must comply with the Safeguards Rule promulgated by the FTC). Such policies include: the adoption of written policies and procedures, the identification of potential risks that could compromise confidential information and the periodic assessment of compliance procedures to ensure that adequate protections are in place. While the requirements of Regulation S-P will likely overlap with some of the provisions of GDPR, the GDPR will also impose additional requirements on investment advisors with respect to their EU clients.

Rather than providing a checklist of action items deemed to be adequate safeguards of personal data, the GDPR identifies a set of principles including data security, accountability, lawfulness, purpose limitation and data minimization. Given the general nature of the principles, the method of compliance with the GDPR is open to interpretation. EU Member States are currently adopting laws and regulations that implement the GDPR principles.

Although the GDPR does not provide much specific guidance for compliance, particularly for investment advisors outside of the EU, investment advisors can take concrete steps right now to better prepare themselves. These steps include the following:

  • One of the key components of the GDPR is that EU individuals must provide their affirmative consent for their personal data to be used. Obtaining such individuals’ general permission to use their personal data will not be sufficient; rather, these clients must consent to the specific intended uses. Subscription agreements may need to be updated to ensure that client consent is given in the appropriate manner with representations that adequately specify the potential use of client data (e.g., to satisfy KYC obligations).
  • All personal data of clients must be accurate and up-to-date. Investment advisors should take an inventory of their client data and update it as necessary to ensure that all information is current and correct. While it remains unclear how frequently such an inventory will be required under the GDPR, a good starting point is for investment advisors to review such information in the course of their next regularly scheduled compliance review.
  • Investment advisors should ensure that their service providers are aware of the GDPR and that they are taking the appropriate steps to implement the Regulation. The GDPR requires that personal data may be processed only within the parameters of clear instructions with respect to such data. Contracts with third party service providers may need to be amended to reflect the new requirements.  MORE