Post Top Ad

Your Ad Spot

Blog Archive

Monday, May 21, 2018

Interpretations for Privacy Policy and GDPR Compliance

By Cory Roberson, Principal at RIA Review and RIA Consults
What’s does GDPR stand for?

General Data Protection Regulation (GDPR) is a replacement of the EU’s Data Protection Directive (“European privacy policy”) first adopted in 1995.  The regulation now requires businesses in Europe and Abroad to adopt additional safeguards for the protection of client information for its EU citizen clients.  In the context of U.S. based firms with European business, it serves as an extension of their existing privacy policy and procedures.

Applicability Date:  May 25, 2018

How does European Privacy Rules apply to my business in the U.S.?

GDPR applies to:
Firms located in U.S. that conduct business in the EU, share or export big data (controllers)* within the EU, and/or have EU resident clients (e.g. EU Residents, EU citizens, cross border activities, big data/analytics businesses).

GDPR doesn’t apply to:
Firms located in U.S. that have no business operations, data exporting/sharing, nor any clients that are EU residents/citizens.  

Does GDPR require an update to my existing Privacy Policy?
Most firms, in adherence with Regulation S-P, already have a privacy policy that details the protection of client information and the use of their data for business operations.  If your business doesn’t have a privacy policy, then now is a good time to create one.

Firms with EU business operations should enhance their current privacy procedures based on their business practices.  Do you have EU clients/operations?  If so, do you provide an opt-out for sending notifications/using their data?  Do you provide a privacy disclosure to EU citizens?  Do you export/analyze data on a large scale (“controller”)?

Firms can implement an opt-in disclosure for EU residents receiving notifications according to their privacy policy.  For advisors, this disclosure can be added to the firm’s annual offer letter/procedures.

Firms can also review existing privacy and data breaches procedures (EU clients must be notified within 72-hours according to Article 33 of EU GDPR). 

Firms with Internet/Data business (e.g. online robo-advisors, mutual funds, research firms) should adopt an opt-in/opt-out function on their website as online advisors may have business that reaches within the EU.  Review definitions for “controllers” at  We recommend consulting with your IT team or consultant about proper protocols if you haven’t already done so.

Firms with no EU business operations:  No updates needed outside of Reg. S-P regulations.

Firms who share/export data on a large scale (“Controllers”) should identify a data protection officer (DPO) in the EU*

*Controller:  DPO appointment is mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences.  Examples: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Art. 37). Source: (  

Note: The site was recently down.  If site still doesn't work, you can refer to: for more information. 

Generally speaking, firms who are under EU regulatory authority, located in the EU, maintain cross border business operations, and/or big data operations in the EU likely have the greatest implications for examination of additional safeguards from European regulators.  At this point, we do not provide any further interpretation into European regulatory compliance issues.  

Things to consider:

Conduct a risk assessment of sensitive areas (e.g. password protection, storage of records, access of data)
Run an annual or periodic test of data systems/security protection (e.g. many firms hire an IT firm to help with this area)
Refer to general Cybersecurity Checklist in RIA Review

Privacy Policy Notice/Procedures: 
Follow procedures outlined in existing procedures.
Send to client’s annual notice (due within 120 days of firm's fiscal year end)

If you don't have a privacy notice, a template is available online at RIA Review
Short version--covers standard privacy provisions.
Long version - details online/data/cookies provisions. 
GDPR Compliance (only if you do business in EU/have EU clients):
Include a disclosure for EU-Residents of their right to opt-out of communications. 

GDPR Privacy Policy Disclosure/EU Residents Rights: 
Our data is used in connection with services provided for your firm--you can choose to opt-out of receiving future notifications at any time. We have provided a copy of our privacy notices below. 

Our Privacy Policy Disclosures
Firms can review our privacy policy for our use of data.  We may use/share data with our vendors/affiliates in connection with services provided to your firm.  In addition, we are adding security protocols to RIA Review, including two or three factor authentication tools.  

Compliance and Business Management

FIN Compliance ( is a consortium of compliance services including: RIA Consults-Roberson Consults Group, a compliance consulting firm, RIA Review, a compliance-management software tool (SaaS), B-D Review, a RIA/Broker-Dealer compliance management software tool, and FINLancer is a business management portal featuring:  E-signature tools; Invoicing integration, Vendor Directory, continuity directory*, business client document portal, and more (available by Q3 2019).  Access all services on one site:


FIN Missions ( provides business support group sessions for other entrepreneurs.  In addition, Cory has volunteered for more than fifteen youth programs in locations such as like S. Korea, China, S. Africa, Thailand, and India.

No comments:

Post a Comment

Post Top Ad

Your Ad Spot