On May 25, 2018, the General Data Protection Regulation (GDPR) goes into effect. Broadly speaking, GDPR is an evolution of current European data protection laws regarding rights and obligations. With this regulation, organizations will need to assure individuals, customers and regulators that it takes privacy and data security seriously. GDPR is based on the concept of data protection “by design”, meaning that data privacy, risk and compliance needs to be built into the systems, processes and procedures across an organization. There’s a fair amount to unpack with this new regulation; read on for a brief overview and how SS&C is preparing for GDPR.
A key difference with this regulation is that it applies to any organizations that process the personal data of individuals located in the EU—even if those organizations themselves are not EU-based. It also extends to companies who offer goods and services or monitor the online activities of EU citizens. In the funds business, non-EU based managers who control or process personal data of EU investors may be caught by GDPR. We expect many organizations in the funds and funds administration industry, with no physical presence in the EU, to be potentially subject to GDPR.
What should organizations do to comply with GDPR?
An organization’s obligations under GDPR will differ based on whether it is a data controller or processor. Data controllers determine the purposes and means of the processing of its customers personal data. Whereas data processors, process personal data on behalf of the data controller. Organizations that are data controllers will be primarily responsible for GDPR compliance. This means, for instance:
- Collecting and using personal data transparently, fairly, and lawfully
- Limiting the processing of personal data to specified, explicit, and legitimate purposes
- Minimizing the collection and storage of personal data
- Keeping personal data accurate and allowing it to be erased or rectified
- Limiting the storage of personal data, and keeping personal data secure and confidential
Data controllers will also need to ensure that its data processors (such as many service providers) can sufficiently affirm compliance with GDPR. This may result in a review of any agreements currently in place to document the additional data privacy commitments from processors.
How does SS&C comply with GDPR?
At SS&C, as it relates to our role as data processor under Article 28 of the GDPR, we have implemented a comprehensive GDPR program. Through the help of an international working group, we are reviewing our data protection and privacy legal obligations and enhancing and updating our current business processes and documentation. In particular, we are implementing measures to ensure compliance with our own GDPR obligations as a processor (such as keeping data secure and confidential); providing sufficient representations to comply with GDPR; and working with our clients to supplement our existing agreements with them for compliance with GDPR.
How does SS&C’s compliance with the GDPR assist our clients?
As noted earlier, for organizations that are considered data controllers, they need to ensure their data processors are able to comply with GDPR. We understand that as a fund administrator and data processor, it’s vital we have a credible GDPR program. This is why we have been dedicated and diligent designing a project to ensure we are GDPR compliant. If you have any questions or would like to learn more, download our "Preparing for the EU General Data Protection Regulation (GDPR)" FAQs or contact us at firstname.lastname@example.org.
Company News and Events, EMEA, Regulation