Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Are You GDPR Ready?


Published on

General Data Protection Regulation comes into force across the EU on May 25, 2018. Investment fund complexes, distributors, fund administrators and depositaries with global reach will need to consider their controls and processes as they relate to personal data.

Our experts offer invaluable insight on:

- Main features of the regulation
- Obligations for the fund industry
- Practical guidance on “operationalizing” GDPR principles

Published in: Economy & Finance
  • Be the first to comment

  • Be the first to like this

Are You GDPR Ready?

  1. 1. | #WebinarWednesdays GENERAL DATA PROTECTION REGULATION Are You GDPR Ready? May 16, 2018
  2. 2. | #WebinarWednesdays NITIN PANDEY - Moderator Senior Manager, Risk and Financial Advisory Deloitte & Touche LLP OLIVIER REISCH Partner DLA Piper Luxembourg JENNIFER SCHACK Senior Vice President, Global Head of Privacy Northern Trust Company MARIA TERESA FULCI DE ROSÉE Head of Legal and Compliance Crestbridge Luxembourg
  3. 3. | #WebinarWednesdays How the Luxembourg fund industry prepared ALFI was among the first industry bodies in Luxembourg to set up an active GDPR working group • GDPR working group kick off meeting in September 2017, with over 60 people attending • 3 sub groups were created with good mix of ManCo, TA and Custody functions, but also lawyers and consultants represented — Business impact analysis (mainly looked at controller/processor roles) — KYC/AML, FATCA/CRS aspects — General aspects (looked at DPOs, DPIA's, Transparency and legal basis) • Regular 2-3 hour meetings over the next few months with typically 15-20 people attending each session • Meeting with the Luxembourg regulator in February 2018, chairs were able to get excellent feedback • Issue 1 of the ALFI GDPR Q&A published to members on 27 April 2018 • Issue 2 in the works
  4. 4. | #WebinarWednesdays Crestbridge GDPR project GDPR Roadmap Readiness Assessment Test Risk Assessment Workshop Data Scoping Findings Risk Based Approach Governance and DPO, Procedures, CRM and Marketing, Training, Privacy Notices, Agreements review, HR, IT…
  5. 5. | #WebinarWednesdays Data Mapping / Records of Processing (article 30) Data Privacy Impact Assessments (article 35) Storage Limitations (article 5, 25, 47) Data Minimization (article 5, 25, 47) Individual Rights Requests (article 15-22) Privacy by Design (article 25) Data Breach Response (article 33-34) Vendor/Third Party Due Diligence (article 28) GDPR Considerations Compliance Management Governance Training&Awareness IndependentReview
  6. 6. Q&AQUESTIONS & ANSWERS SESSION | #WebinarWednesdays
  7. 7. | #WebinarWednesdays Main obligations of the controller Main obligations of the processor 1. Implement technical and organizational measures to ensure and demonstrate that processing is performed in accordance with GDPR – data Protection policies and procedures (DP by design) 2. Implement measures by which only data that are necessary to be processed are actually processed (DP by default) 3. Only use Processors that provide sufficient guarantees that it is able to implement technical and organizational measures to ensure and demonstrate that processing is performed in accordance with GDPR and ensure protection of the rights of the Data Subject 4. If Joint Controllers, determine each controller responsibilities 5. Maintain record of processing 6. Provide information to data subject: a. On the Controller: the identity and contact details of the controller and, where applicable, their representative, the contact details for the data protection officer, if any b. On the Personal Data: Categories of personal data concerned and the Recipients (or categories of recipients) of the personal data 1. Provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject; 2. Request prior authorisation if it wants to delegate the processing to another processor or, if it has been already granted with a generic authorisation to delegate, inform the controller in advance and give it the opportunity to object; 3. Impose the same data protection obligations to another processor by way of a contract while remaining fully liable to the controller for the performance of that other processor's obligations; 4. Maintain records of the categories of processing; 5. Enter into a contract or other legal act with the controller which sets out:  the subject-matter and duration of the processing,  the nature and purpose of the processing,  the type of personal data and categories of data subjects, and  the obligations and rights of the controller.
  8. 8. | #WebinarWednesdays a. On the processing: The purposes and legal basis for the processing: i. Consent ii. performance of a contract iii. legal obligation, iv. legitimate interest, if it is not overridden by the interests or fundamental rights and freedom of the Data Subject, or v. (to protect a vital interest and public interest). b. The storage period (or if not possible, criteria used to determine that period) c. The existence of automated decision-making including profiling and, if applicable, meaningful information about the logic used and the significance and envisaged consequences of such processing for the data subject d. Details of transfers to third countries, the fact of same and the details of the relevant safeguards (including the existence or absence of a Commission adequacy decision) and the means to obtain a copy of them or where they have been made available In addition, the contract or other legal act shall stipulate that the processor:  processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country, or before the processing the processor informs the controller if a legal requirement obliges it to do so,  ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality,  takes all measures required to ensure security of processing, which may include: o the pseudonymisation and encryption of personal data, o the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, o the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, o a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. Main obligations of the controller Main obligations of the processor
  9. 9. | #WebinarWednesdays a. On the rights of the data subject i.e. to: i. be informed, have access , rectification, erasure , restriction on processing, objection to processing and data portability, object to automated decision making and profiling, the right to lodge a complaint with a supervisory authority, claim for indemnification. b. Where processing is based on consent (or explicit consent), the right to withdraw consent at any time c. Where legitimate interests is the legal basis for the processing, the legitimate interests pursued by the data controller or a third party d. Whether there is a statutory or contractual requirement to provide the information or whether it is necessary to enter into a contract or whether there is an obligation to provide the information and the possible consequences of failure. e. If data are received from a third party, the source from which the personal data originate, and if applicable, whether it came from a publicly accessible source 7. Facilitate the exercise of data subject rights 8. Notify the CNDP on data breach (72 hours) and communicate to Data Subject if there is a high risk to the Data Subject rights and freedom 9. In certain circumstances, appoint a DPO (core activity consists on processing data on a large scale) and perform a DP Impact Assessment (large scale of data processing, systematic monitoring, etc.), and 10. Respond to the CNDP inquires.  assists the controller by appropriate technical and organisational measures for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights;  assists the controller in drafting the DPIA, ensure security of processing, notify data breaches, assist when prior consultation of the supervisory authority in charge is required;  upon request deletes or returns all the personal data to the controller after the end of the provision of services relating to the processing, and deletes existing copies;  makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in the GDPR, and allows for and contributes to audits, including inspections, conducted by the controller or another auditor mandated by the controller. 1. Notify the controller without undue delay after becoming aware of a personal data breach; 2. In certain circumstances, appoint a DPO (core activity consists on processing data on a large scale) and perform a DPIA (large scale of data processing, systematic monitoring, etc.); and 3. Respond to the possible inquiries from supervisory authorities. Note: If a processor infringes the GDPR by determining the purposes and means of processing, the processor shall be considered to be a controller in respect of that processing. Main obligations of the controller Main obligations of the processor
  10. 10. | #WebinarWednesdays WEBINAR SPONSOR