The European Union’s General Data Protection Regulation ("GDPR") has “extra-territorial” effect, meaning it may apply to non-EU firms that process EU resident personal information. This article provides practical considerations for United States-based transfer agents.
This article originally appeared in The Securities Transfer Association’s July 2018 newsletter and is reprinted here with permission.
Transfer agent readers, imagine the following: One day you are happily sitting at your desk doing your transfer agent business when you receive a call from your client (for instance, your mutual fund client). This client tells you that they are a “Data Controller” under the European Union’s General Data Protection Regulation (“GDPR”). Not only that, your client also tells you that your firm is a “Data Processor” with its own compliance obligations under GDPR! What to do, what to do?
This may have happened to you already, or it might happen to you in the future. The GDPR imposes compliance obligations on firms that ’process’ personal information about EU residents. The GDPR has “extra-territorial” effect, meaning that GDPR applies not only to EU firms, it may also apply to firms outside of the EU which process EU resident personal information. And, these compliance obligations come with very severe penalties for non-compliance, so simply ignoring them may not be the best strategy.
Should you believe yourself to be in this situation, you should consult with your legal counsel and assess if: 1) your shareholder records contain EU residents’ personal information, and 2) your firm is a data processor. If answers to both determinations are affirmative, you should work with your legal counsel to determine what measures you should take to comply with GDPR. Such measures are likely to include the following:
The GDPR mandates specific language to be included in contracts between a data controller and a data processor, which will need to be formalized through an amendment to your contract. If you believe that you are a data processor for several data controller clients, then it might be a good idea to proactively prepare a standard contract amendment to offer your data controller clients.
Should you and your legal counsel determine you are a data processor subject to the GDPR, your legal counsel is likely to recommend that you create and maintain a record of all categories of processing activities carried out on behalf of the data controller, which should include, among other things, 1) the categories of processing carried out on behalf of the data controller, 2) details of the transfer of personal information to a third country, and 3) a general description of the technical and organizational security measures in place. Please note--the record of processing activities is not merely a “one and done” exercise, but should be periodically reviewed and maintained.
In preparing your data inventory, (i) you may want to consider including the information you possess and process, but also state the reasons why you have the information and why you process it in the way that you do; (ii) to assist you in determining as you compile your inventory whether or not you maintain and process EU resident information for a “lawful purpose” (where you are required by law), and whether your processing environment includes the concept of “privacy by design”; (iii) to help you ascertain during the inventory process whether you possess “special category” data (e.g., personal medical information) and are therefore subject to more compliance obligations related to that data; and (iv) to advise you that your inventory should also capture if and how EU resident information is used and disseminated to third parties or across borders.
Once you have created your record of processing activities, you can use the information gathered to help you in identifying technological gaps that may need to be addressed. For example, is your organization’s technology used to transmit EU resident information externally and, if so, is such transmission protected? Or, can you comply with an EU resident request to be forgotten (assuming that you no longer have a lawful purpose for possessing that information)? The answers to questions raised in this analysis may lead you to undertake technology or business-practice changes.
The GDPR grants certain rights to EU residents. While it is the data controller’s obligation to manage and respond to these requests by individuals to exercise their rights, the data controller may look to you, as the data processor to assist in validating or responding to the requests. Some of these rights are absolute and some are qualified. Legal counsel should be consulted, but an example of an absolute right is the right to rectification, which is the right to rectify, or correct, inaccurate personal information being processed. A qualified right is a right that is subject to the specific circumstances. One example of a qualified right is an EU resident’s right to erasure (to be forgotten). The right to erasure is restricted if that information must be maintained pursuant to legal requirements, such as record retention requirements imposed by anti-money laundering regulations.
You might be wise to consult with counsel and early on implement a procedure to handle individual rights requests, so that you aren’t faced with scrambling to react to a request if or when you receive one. As part of this procedure, you may want to identify the circumstances under which the procedure would be invoked, how the request should be handled, interactions with your data controller client and, ultimately, communication to the EU resident.
The GDPR requires the data controller to undertake certain notifications to the relevant authorities should EU resident information be subject to a breach as that term is defined in the GDPR. The data controller must meet required deadlines to accomplish these notifications and you as data processor must be sensitive to these needs. Implementing data breach notification procedures would help to prevent delays in notifying your data controller client about a data breach if one should occur.
If your service model includes the use of sub-processor providers to perform services on your behalf using use EU residents’ personal information, you will be responsible for the actions of sub-processors under the GDPR. Consult with your legal counsel to determine the extent to which your agreements with those sub-processors need to be amended to comply with GDPR requirements.
Depending on your operating environment, consider providing your staff with general training on the compliance obligations posed by GDPR. Also provide specific training on their responsibilities related to new or amended procedures that you are implementing in response to GDPR.
While it may seem like the GDPR doesn’t really apply in the United States, it may apply to you and your firm. If it does, the consequences for non-compliance could be severe. The GDPR went into effect on May 25, 2018, so if you think the GDPR might apply to you, or if one of your clients informs you that they have a GDPR compliance obligation, you should immediately contact your legal counsel to determine what obligations you have under GDPR. Your legal counsel could advise you to begin some or all of the steps listed here. Addressing these questions with counsel now will help you down the road to meeting your GDPR compliance obligations accurately and in a timely manner.
BNY Mellon is the corporate brand of The Bank of New York Mellon Corporation and may also be used as a generic term to reference the Corporation as a whole or its various subsidiaries generally. Products and services may be provided under various brand names and in various countries by subsidiaries, affiliates, and joint ventures of The Bank of New York Mellon Corporation where authorized and regulated as required within each jurisdiction. The material contained in this document, which may be considered advertising, is for general information and reference purposes only and is not intended to provide or be construed as legal, tax, accounting, investment, financial or other professional advice on any matter, and is not to be used as such. BNY Mellon assumes no liability (direct or consequential or any other form of liability) for any errors in or reliance upon this information. This document, and the statements contained herein, are not an offer or solicitation to buy or sell any products (including financial products) or services or to participate in any particular strategy mentioned and should not be construed as such. The views expressed within this article are those of the authors only and not those of BNY Mellon or any of its subsidiaries or affiliates.
© 2018 The Bank of New York Mellon Corporation.
Vice President, Transfer Agent Regulatory Management, BNY Mellon Asset Servicing
Charles S. Hawkins is a Vice President in the Transfer Agent Regulatory Management Department at BNY Mellon’s asset servicing group which is responsible for coordinating the delivery of regulatory services to transfer agency clients. Mr. Hawkins’s responsibilities include the design and implementation of compliance solutions for new or amended regulations.View Profile