By Harry A. Payton
Large or small wealth management firms, financial advisors, asset managers, estate planning professionals and others in the financial services industry residing in the European Union must comply with General Data Protection Regulations that became effective in May 2018. Firms outside the EU but conducting business within the EU must also comply, however some firms are dragging their heels to do so.
What was formerly a directive adopted in 1995 is now the law in the EU. It is reported that authorities have engaged more than 200 additional investigators to enforce compliance. Depending on the seriousness of a breach, penalties for non-compliance can be quite severe—up to 20 million euros or 4 percent of the firm’s gross revenues.
GDPR deals with three entities: the data subject, the data controller and the data processor. The data subject is your client or investor, current, former or prospective. Data controllers determine what data is collected and for what purpose. They include natural persons and legal entities that determine, alone or with others, the purposes and the method of processing personal data. Financial professionals are most likely to be identified as data controllers. Data processors, on the other hand, are individuals or legal entities that process the data on instructions from the data controller. Data processors manage the data, its storage, security, transfer and deletion.
Whether the data controller is the local EU wealth management office of a large multinational financial institution, a small law or accounting firm engaged in estate planning services, the obligations concerning the collection, storage, use, transfer and deletion of data are the same. Crucially, the collection of data must be with the client’s consent, in response to clear, concise and easy to understand advice explaining the data to be collected and how it will be used, stored, transferred if necessary, or deleted. The client has the right to know who will review the data and why, as well as the security measures taken to protect the data.
The principal characteristics of the collection of data under GDPR are that it must be lawful, it must be fair and it must be transparent. This means that data may only be collected when a lawful basis is present. This basis may derive from express consent, by contract or pursuant to a legal obligation. The consent must be informed and it must be offered in plain and easily understandable language for the average person. Under GDPR, the financial professional has an obligation to explain to the client the use to which the data will be put. This will require specific and detailed disclosures. Explanations to the data subject must be in easy to understand language and cannot be buried among the terms and conditions of a lengthy document such as an engagement letter. Finally, client consent must be freely given with knowledge of the use to be made of the data, without coercion or contractual mumbo-jumbo.
Consequently, when a client walks into your office, you, as the financial advisor, now have more duties than ever before to explain in detail:
- What information you are seeking from them
- Why you are seeking it
- What you intend to do with it
- Who may be involved along with you in rendering services to them
- How the information may be stored, secured and transferred or when it will be deleted if no longer required.
As a wealth manager, you are well-advised to review your contract for services for compliance with GDPR and establish your status as a data controller or data processor, or both. Subsequently, important steps to take include determining the security of your data and that of your data processor if you use one, simplifying client consent documents, developing a plan to respond to a data breach and appointing and educating a data protection officer, to assure compliance with GDPR. This may seem like a big undertaking. The consequences of non-compliance may be more burdensome.
Harry A. Payton, B.C.S, is a managing member of Payton & Associates, a member of IR Global, a multi-disciplinary professional services network that provides advice to companies and individuals across more than 155 jurisdictions.