General Data Protection Regulation comes into force across the EU on May 25, 2018. Investment fund complexes, distributors, fund administrators and depositaries with global reach will need to consider their controls and processes as they relate to personal data.
Our experts offer invaluable insight on:
- Main features of the regulation
- Obligations for the fund industry
- Practical guidance on “operationalizing” GDPR principles
2. www.nicsa.org | #WebinarWednesdays
NITIN PANDEY - Moderator
Senior Manager,
Risk and Financial Advisory
Deloitte & Touche LLP
OLIVIER REISCH
Partner
DLA Piper Luxembourg
JENNIFER SCHACK
Senior Vice President,
Global Head of Privacy
Northern Trust Company
MARIA TERESA FULCI DE ROSÉE
Head of Legal and Compliance
Crestbridge Luxembourg
3. www.nicsa.org | #WebinarWednesdays
How the Luxembourg fund industry prepared
ALFI was among the first industry bodies in Luxembourg to set up an active GDPR working group
• GDPR working group kick off meeting in September 2017, with over 60 people attending
• 3 sub groups were created with good mix of ManCo, TA and Custody functions, but also lawyers and consultants represented
— Business impact analysis (mainly looked at controller/processor roles)
— KYC/AML, FATCA/CRS aspects
— General aspects (looked at DPOs, DPIA's, Transparency and legal basis)
• Regular 2-3 hour meetings over the next few months with typically 15-20 people attending each session
• Meeting with the Luxembourg regulator in February 2018, chairs were able to get excellent feedback
• Issue 1 of the ALFI GDPR Q&A published to members on 27 April 2018
• Issue 2 in the works
4. www.nicsa.org | #WebinarWednesdays
Crestbridge GDPR project
GDPR
Roadmap
Readiness
Assessment
Test
Risk
Assessment
Workshop
Data Scoping
Findings
Risk Based Approach
Governance and DPO, Procedures, CRM and Marketing,
Training, Privacy Notices, Agreements review, HR, IT…
5. www.nicsa.org | #WebinarWednesdays
Data Mapping /
Records of Processing
(article 30)
Data Privacy Impact
Assessments
(article 35)
Storage Limitations
(article 5, 25, 47)
Data Minimization
(article 5, 25, 47)
Individual Rights
Requests
(article 15-22)
Privacy by Design
(article 25)
Data Breach Response
(article 33-34)
Vendor/Third Party
Due Diligence
(article 28)
GDPR Considerations
Compliance Management
Governance
Training&Awareness
IndependentReview
7. www.nicsa.org | #WebinarWednesdays
Main obligations of the controller Main obligations of the processor
1. Implement technical and organizational measures to ensure and demonstrate that processing
is performed in accordance with GDPR – data Protection policies and procedures (DP by
design)
2. Implement measures by which only data that are necessary to be processed are actually
processed (DP by default)
3. Only use Processors that provide sufficient guarantees that it is able to implement technical
and organizational measures to ensure and demonstrate that processing is performed in
accordance with GDPR and ensure protection of the rights of the Data Subject
4. If Joint Controllers, determine each controller responsibilities
5. Maintain record of processing
6. Provide information to data subject:
a. On the Controller: the identity and contact details of the controller and, where
applicable, their representative, the contact details for the data protection officer, if
any
b. On the Personal Data: Categories of personal data concerned and the Recipients (or
categories of recipients) of the personal data
1. Provide sufficient guarantees to implement appropriate technical and organisational
measures in such a manner that processing will meet the requirements of the GDPR and
ensure the protection of the rights of the data subject;
2. Request prior authorisation if it wants to delegate the processing to another processor or, if it
has been already granted with a generic authorisation to delegate, inform the controller in
advance and give it the opportunity to object;
3. Impose the same data protection obligations to another processor by way of a contract while
remaining fully liable to the controller for the performance of that other processor's
obligations;
4. Maintain records of the categories of processing;
5. Enter into a contract or other legal act with the controller which sets out:
the subject-matter and duration of the processing,
the nature and purpose of the processing,
the type of personal data and categories of data subjects, and
the obligations and rights of the controller.
8. www.nicsa.org | #WebinarWednesdays
a. On the processing: The purposes and legal basis for the processing:
i. Consent
ii. performance of a contract
iii. legal obligation,
iv. legitimate interest, if it is not overridden by the interests or fundamental
rights and freedom of the Data Subject, or
v. (to protect a vital interest and public interest).
b. The storage period (or if not possible, criteria used to determine that period)
c. The existence of automated decision-making including profiling and, if applicable,
meaningful information about the logic used and the significance and envisaged
consequences of such processing for the data subject
d. Details of transfers to third countries, the fact of same and the details of the relevant
safeguards (including the existence or absence of a Commission adequacy decision)
and the means to obtain a copy of them or where they have been made available
In addition, the contract or other legal act shall stipulate that the processor:
processes the personal data only on documented instructions from the controller,
including with regard to transfers of personal data to a third country, or before the
processing the processor informs the controller if a legal requirement obliges it to do
so,
ensures that persons authorised to process the personal data have committed
themselves to confidentiality or are under an appropriate statutory obligation of
confidentiality,
takes all measures required to ensure security of processing, which may include:
o the pseudonymisation and encryption of personal data,
o the ability to ensure the ongoing confidentiality, integrity, availability and
resilience of processing systems and services,
o the ability to restore the availability and access to personal data in a timely
manner in the event of a physical or technical incident,
o a process for regularly testing, assessing and evaluating the effectiveness of
technical and organisational measures for ensuring the security of the
processing.
Main obligations of the controller Main obligations of the processor
9. www.nicsa.org | #WebinarWednesdays
a. On the rights of the data subject i.e. to:
i. be informed, have access , rectification, erasure , restriction on processing,
objection to processing and data portability, object to automated decision
making and profiling, the right to lodge a complaint with a supervisory
authority, claim for indemnification.
b. Where processing is based on consent (or explicit consent), the right to withdraw
consent at any time
c. Where legitimate interests is the legal basis for the processing, the legitimate interests
pursued by the data controller or a third party
d. Whether there is a statutory or contractual requirement to provide the information or
whether it is necessary to enter into a contract or whether there is an obligation to
provide the information and the possible consequences of failure.
e. If data are received from a third party, the source from which the personal data
originate, and if applicable, whether it came from a publicly accessible source
7. Facilitate the exercise of data subject rights
8. Notify the CNDP on data breach (72 hours) and communicate to Data Subject if there is a high
risk to the Data Subject rights and freedom
9. In certain circumstances, appoint a DPO (core activity consists on processing data on a large
scale) and perform a DP Impact Assessment (large scale of data processing, systematic
monitoring, etc.), and
10. Respond to the CNDP inquires.
assists the controller by appropriate technical and organisational measures for the
fulfilment of the controller's obligation to respond to requests for exercising the data
subject's rights;
assists the controller in drafting the DPIA, ensure security of processing, notify data
breaches, assist when prior consultation of the supervisory authority in charge is
required;
upon request deletes or returns all the personal data to the controller after the end of
the provision of services relating to the processing, and deletes existing copies;
makes available to the controller all information necessary to demonstrate compliance
with the obligations laid down in the GDPR, and allows for and contributes to audits,
including inspections, conducted by the controller or another auditor mandated by the
controller.
1. Notify the controller without undue delay after becoming aware of a personal data breach;
2. In certain circumstances, appoint a DPO (core activity consists on processing data on a large
scale) and perform a DPIA (large scale of data processing, systematic monitoring, etc.); and
3. Respond to the possible inquiries from supervisory authorities.
Note: If a processor infringes the GDPR by determining the purposes and means of processing, the
processor shall be considered to be a controller in respect of that processing.
Main obligations of the controller Main obligations of the processor