GDPR and Data Privacy

Several large Silicon Valley firms have been in the news frequently regarding what data they store about you, what they do with that data and what they tell their consumers. The question becomes what rights do you have in an online world and what standards are applied to these companies that store your data. GDPR (General Data Protection Regulation) aims to answer that. GDPR went into effect on May 2018 and aims to standardize and protect the rights of EU (European Union) citizens in regards to their PII (Personally Identifiable Information) data.

This regulation applies to all EU citizens regardless of location meaning that an investment manager based in the US must abide by these regulations if any of their investors or employees are EU citizens. GDPR may seem a bit draconian but it is the trend (see the Congressional Hearings on the prominent Social Media companies) and other countries will follow the EU’s lead and craft their own PII protection laws.

As an example, the US is considering their own version of General Data Protection Regulation (GDPR):

Click this Link for the Details on US GDPR

Compliance using Document Management Technology

In addition, GDPR will continue to evolve to protect the changing definition of PII data and its usage. For your firm to be able to meet these laws effectively, we recommend using a Document Management System (DMS) such as Microsoft SharePoint Online. Several key DMS technologies will facilitate your regulatory compliance and the ability to pivot rapidly to comply with any new regulations or changes.

• Data Inventory – Regulations such as GDPR place an emphasis on knowing what personally identifiable information (PII) data you store and the ability to extract it on request. In Office 365, Data Loss Prevention (DLP) can identify over 80 common sensitive data types including financial, medical, and PII. EU common sensitive data types are pre-defined and custom sensitive data types can be added to properly categorize current and future definitions of PII data. Furthermore, all Office 365 products (i.e. Outlook, SharePoint, Skype) can be searched through at the same time using Office 365 eDiscovery resulting in a comprehensive PII search
• Data Protection – A common theme of regulations whether it be GDPR or the SEC Safeguards Rule and Identity Theft Red Flags Rule is the safeguarding of data personal and confidential data. Using the Office 365 Security & Compliance Center, you can use DLP to lock down data by preventing internal and/or external sharing of the data. Furthermore, with data on the cloud, you can enable an additional layer of security through Service Encryption with Customer Key which encrypts your data at rest wherever it may reside
• Data Retention / Destruction – Regulations also require Account information and Books and Records to be kept for minimum periods of time (for example Account Information must be kept for 6 years). SharePoint can automate these Document Retention rules using Document Retention Policies eliminating any human error. Retention policies can also be set on a more granular level to govern specific types of documents such as Financial Documents. Once the data is no longer useful or required to be kept, data can also be purged using automated rules and workflows.

For additional information from Microsoft on how they meet GDPR requirements, see:

https://docs.microsoft.com/en-us/office365/securitycompliance/office-365-information-protection-for-gdpr

FinServ Can Help – FinServ is a Microsoft Partner and Integrator. We have done numerous Document Management system implementations for asset managers and approach the project from a policy view. We will help you define your Document Management policies first to meet Compliance and GDPR and other regulatory body requirements. We understand the business and work with you each step of the way to implement the Document Management system on time and on budget.

To learn more about FinServ Consulting’s services, please contact us at info@www.finservconsulting.com or (646) 603-3799.