While the impact of GDPR is most obvious on companies that hold and process consumer data, asset managers cannot afford to be complacent.
GDPR — what does business as usual look like?
Having worked feverishly toward day-one compliance, asset managers are also keenly aware that GDPR requires an ongoing strategic data protection effort. Here, we outline some of the ways in which the GDPR specifically affects the asset management industry, and how asset managers can embrace a sustainable and strategic data privacy approach through an intelligent data privacy framework.
Once the initial implementation deadline for the GDPR passed — and asset managers achieved all the requirements for compliance — many larger firms started thinking about GDPR 2.0. Now that the initial rush to achieve day-one GDPR compliance is in the past, what does the business as usual (BAU) operating model look like for asset managers? To answer this question, we first need to have a complete picture of how the GDPR impacts a typical asset management organization.
What has asset management data got to do with GDPR?
The type of data being processed varies widely depending on the type of asset management organization:
- Asset managers typically have personal data relating to any “direct to customer” retail products, as well as alternatives products (particularly real estate). Asset managers whose customer base is institutional or corporate only are less exposed to the effects of GDPR.
- Outsourced asset servicers process some personal data on behalf of asset managers and wealth managers. Therefore, depending on the nature of the outsource arrangement, they also process significant amounts of personal data.
- Wealth managers and private banks have a lot of sensitive personal data relating to high-net-worth and ultra-high-net-worth individuals.
Impact of the GDPR on asset managers
- Expanded notices about how personal information is to be used
- Limitations on retention of personal data
- Increased requirements to delete or hand over an individual’s information upon request
- Mandatory data breach notification requirements
- Requirements to maintain records of data processing activities and transfers of personal data
- Higher standards for data controllers to demonstrate that they have obtained valid consent for certain data processing activities