By Cory Roberson, Principal at RIA Review and RIA Consults
What’s
does GDPR stand for?
General Data Protection Regulation (GDPR) is
a replacement of the EU’s Data Protection Directive (“European privacy policy”)
first adopted in 1995. The regulation now
requires businesses in Europe and Abroad to adopt
additional safeguards for the protection of client information for its EU
citizen clients. In the context of
U.S. based firms with European business, it serves as an extension of their
existing privacy policy and procedures.
Applicability
Date: May 25, 2018
How does European Privacy Rules apply to my business in
the U.S.?
GDPR applies to:
Firms
located in U.S. that conduct business in the EU, share or export big data
(controllers)* within the EU, and/or have EU resident clients (e.g. EU Residents,
EU citizens, cross border activities, big data/analytics businesses).
GDPR
doesn’t apply to:
Firms
located in U.S. that have no business operations, data exporting/sharing, nor
any clients that are EU residents/citizens.
Does GDPR require an update to my existing Privacy Policy?
Most firms, in adherence with Regulation S-P, already
have a privacy policy that details the protection of client information and the
use of their data for business operations.
If your business doesn’t have a privacy policy, then now is a good time
to create one.
Firms with EU business operations
should enhance their current privacy procedures based on their business
practices. Do you have EU clients/operations? If so, do you provide an opt-out for sending
notifications/using their data? Do you
provide a privacy disclosure to EU citizens?
Do you export/analyze data on a large scale (“controller”)?
Firms can implement an opt-in disclosure for EU
residents receiving notifications according to their privacy policy. For advisors, this disclosure can be added to
the firm’s annual offer letter/procedures.
Firms can also review existing privacy and data breaches procedures
(EU clients must be notified within 72-hours according to Article 33 of EU GDPR).
Firms with Internet/Data business (e.g. online robo-advisors, mutual funds, research firms)
should adopt an opt-in/opt-out function on their website as online advisors may
have business that reaches within the EU.
Review definitions for “controllers” at EUGDPR.org. We recommend consulting with your IT team or
consultant about proper protocols if you haven’t already done so.
Firms with no EU business operations: No updates needed outside of Reg. S-P
regulations.
Firms who share/export data on a large scale (“Controllers”)
should identify a data protection officer (DPO) in the EU*
*Controller: DPO appointment is mandatory only for
those controllers and processors whose core activities consist of processing
operations which require regular and systematic monitoring of data subjects on
a large scale or of special categories of data or data relating to criminal
convictions and offences. Examples:
(a) public authorities, (b) organizations that engage in large scale systematic
monitoring, or (c) organizations that engage in large scale processing of
sensitive personal data (Art. 37). Source: EUGDPR.org (https://www.eugdpr.org/key-changes.html).
Note: The EUGDPR.org site was recently down. If site still doesn't work, you can refer to: https://gdpr-info.eu/ for more information.
Note: The EUGDPR.org site was recently down. If site still doesn't work, you can refer to: https://gdpr-info.eu/ for more information.
Generally speaking, firms who are under EU regulatory
authority, located in the EU, maintain cross border business operations, and/or big data operations in the EU likely
have the greatest implications for examination of additional safeguards from European
regulators. At this point, we do not
provide any further interpretation into European regulatory compliance
issues.
Things to consider:
Cybersecurity:
Conduct a risk assessment of sensitive areas (e.g. password
protection, storage of records, access of data)
Run an annual or periodic test of data
systems/security protection (e.g. many firms hire an IT firm to help with
this area)
Refer to general Cybersecurity Checklist in RIA Review
Privacy Policy Notice/Procedures:
Follow procedures outlined in existing procedures.
Send to client’s annual notice (due within 120 days of firm's
fiscal year end)
If you don't have a privacy notice, a
template is available online at RIA Review
Short version--covers standard privacy provisions.
Long version - details online/data/cookies provisions.
GDPR Compliance (only if you do
business in EU/have EU clients):
Include a disclosure for EU-Residents of their right to opt-out of
communications.
GDPR Privacy Policy Disclosure/EU
Residents Rights:
Our data is used in connection with services provided for your firm--you can choose to opt-out of receiving future notifications at any time. We have provided a copy of our privacy notices below.
Our data is used in connection with services provided for your firm--you can choose to opt-out of receiving future notifications at any time. We have provided a copy of our privacy notices below.
Our Privacy Policy Disclosures
Firms can review our privacy policy for our use of data. We may use/share data with our vendors/affiliates in connection with services provided to your firm. In addition, we are adding security protocols to RIA Review, including two or three factor authentication tools.
RIA Consults: http://www.riaconsults.com/privacy.html
Compliance and Business Management
FIN Compliance (FINCompliance.io) is a
consortium of compliance services including: RIA Consults-Roberson Consults
Group, a compliance consulting firm, RIA Review, a compliance-management
software tool (SaaS), B-D Review, a RIA/Broker-Dealer compliance management
software tool, and FINLancer is a business
management portal featuring: E-signature tools; Invoicing integration,
Vendor Directory, continuity directory*, business client document portal, and
more (available by Q3 2019). Access all services
on one site: FINCompliance.io.
Impact
FIN Missions (FINmissions.com) provides business support group
sessions for other entrepreneurs. In addition, Cory has volunteered
for more than fifteen youth programs in locations such as like S. Korea, China,
S. Africa, Thailand, and India.
No comments:
Post a Comment