On May 25, 2018, the EU will begin enforcing a ground breaking new regulation affecting the way personal information of EU citizens is managed, processed and protected. SS&C is ready. Are you?
The Capitol Hill grilling of Facebook CEO, Mark Zuckerberg, has focused a great deal of attention on the potential misuse of personal data by companies that have this data in their possession. While the U.S. Congress deliberates on what additional regulation may be necessary, the European Union has already introduced sweeping regulation that could set a new global standard for data privacy and security.
The GDPR (General Data Protection Regulation) goes into effect on May 25, 2018. The new regulation may apply to all companies and organizations that collect or process personal data on EU citizens and subjects -- whether or not those entities are headquartered or operate in EU member countries. In today’s global business and social networks, there are few large organizations that will not be affected. The penalties for violations are severe, with tiered fines as much as 4% of annual revenues.
Controller, Processor, or Enabler?
GDPR regulations define two types of organizations that have exposure to an individual’s personal information – a “Collector,” the primary entity that interfaces with the individual and collects the data such as a bank, insurance company or social media platform, and a “Processor,” a provider that processes, manages, or stores the data. In our role as an application services and business process outsourcing provider, SS&C predominantly fits into the “Processor” category. Over the past year we have mobilized considerable resources to make sure we are prepared for May 25, 2018 and beyond.
Mobilizing the Taskforce
Since GDPR affects so much of the SS&C organization, we decided to tackle compliance through a committee approach. We organized a multidisciplinary/multinational task force represented by such operations as Information Security, Information Technology, Legal, Compliance, Application Development, and Human Resources.
One of the first and most ambitious initiatives of our taskforce was a mapping exercise in which we performed a detailed data assessment of SS&C’s data, applications and service assets to see which ones would fall into the scope of GDPR. We analyzed the data transfers between our systems and applications and identified any data that pertained to individual EU subjects. We looked at physical security, perimeter security (how the system could be accessed over the internet), encryption of data both at rest and in transit, access and authentication controls, and change management, to name a few of the areas we closely examined. As a result of this effort, we defined two types of action points: “essential actions” and “beneficial actions.” The essential action points are the ones that we believed should be put in place before the May 25th enforcement deadline. The beneficial action points are the ones that would enhance the controls we already have in place and could be added to an application after the May 25th deadline. GDPR helps to create a baseline of security mechanisms that must be in place to meet the needs of GDPR, and in addition, shows our clients that we are safely and securely protecting their information and their investors’ information in our systems.
Education and Training
Even with the rigorous scrutiny of all our information systems and assets, we realize that GDPR is more than a checklist of technology and process safeguards. It is a shift in mindset that requires a basic understanding of the principles and repercussions of GDPR. SS&C mandates a basic GDPR training course for all of our thousands of employees. We follow-up with more customized training for professionals who are directly involved with affected SS&C assets and processes. SS&C has also created a host of GDPR related documentation for our clients, and we continue to meet with clients all over the world to answer questions and ensure GDPR compliance best practices are in place.
Expertise, Speed and Agility
Despite the considerable investment in time and resources that will be required to meet the strict compliance demands of GDPR, the regulation is an important step in guaranteeing the privacy and security of personal information. No doubt it will be a prototype for protecting citizens of other geo/economic jurisdictions beyond the EU. GDPR gives a great deal of data privacy control to individuals that did not previously have those controls at their disposal, and a solid baseline of discipline and security measures for data controllers and processors.
Fortunately for SS&C and its clients, much of the technological, procedural and intellectual prerequisites for GDPR compliance were already in place. The sensitivity of the financial services data we process has always demanded high security controls. In addition, the ability to adapt to regulatory change is deep rooted in SS&C’s corporate culture. The speed and agility with which we can accommodate new regulations in global markets is one of our premier value propositions and a cornerstone of the SS&C brand.
Bring on GDPR. SS&C is confident and ready.
Company News and Events, EMEA, Regulation