By Tom Cole, Director – Europe at Abacus Group
Credit Suisse Prime Services out of London recently interviewed me for a whitepaper they’ve released to clients on considerations for investment managers when it comes to the new EU General Data Protection Regulation (GDPR), going into effect on 25th May of this year.
Here’s an excerpt from the interview:
How are you preparing for the GDPR and what changes, if any are you making to your platform/offering (new technology, changes in technology configuration etc.)?
Given our multinational presence, when complying with new regulatory initiatives such as GDPR, it’s important that we review our systems holistically, with the goal of seeking efficiencies and opportunities, all while identifying relevant implications for the entire organization. As a result of this approach, we’ve recognized synergies between preparing for Privacy Shield and GDPR compliance. As such, we’re simultaneously applying a global framework to tackle data privacy as it relates to both endeavors. In fact, after initial analysis, we’ve found that the majority of the requirements for GDPR have already been met by our existing security programs.
Whilst it is important to note there is not a single technology solution to become GDPR compliant, Abacus maintains a mature information security framework, therefore no specific investment in new technology has been necessary. Instead, we have called upon existing technology solutions within our platform. For example, we’re using Varonis to automate discovery of data within our platform. Eventually, we expect to also integrate this reporting mechanism of Varonis into our AbacusFLEXä IT-as-a-Service platform for clients to use as well. But, I must again stress that these tools will be complimentary to businesses processes, not the backbone to a GDPR compliance framework.
What is Privacy Shield? The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce. Source: www.privacyshield.gov
What do you see as the main challenges in complying with the GDPR?
The challenges of complying with the GDPR are proportionate to the maturity of an organization’s information security framework. The days of using a template policy with some modest technical controls for ‘security’ are nearing the end. Firms will need to have information security engrained in their business with complete executive support. GDPR compliance is not a one-off effort – it’s ongoing and will require synergies throughout a business. In addition, where possible, automation can assist with consistencies and efficiencies.
Data categorization is a challenge many firms will have to overcome. Also, many clients think it’s just a technology problem, very similar to when there was a focus on BCP a few years back. Another big challenge we see is that many managers don’t have staffing to identify roles and responsibilities internally and you can’t just pay a provider to get it done, it is an ongoing commitment.
Are you making any changes to your client contracts or providing a separate contract as a result of the GDPR?
Our client contracts will include language to indicate compliance efforts in regards to both Privacy Shield and GDPR. And, we are going through a process to ensure all of our vendors and technical partners have the same.
No clients to date have asked for contractual changes, although we will be pro-actively adding language to offer comfort that Abacus is committed to ongoing GDPR compliance.
Will you, as a processor under the GDPR be providing standard information and/or a DDQ to your clients and what detail will this include?
Part of the compliance toolkit that we provide for all Abacus clients includes access to our proprietary Client Portal system, where we house a library of important DDQ documents, including our SIG Lite (Standard Information Gathering), our WISP (Written Information Security Plan), and our AITEC questionnaire, a comprehensive overview of our Abacus IT systems and data centres, and more. This allows our clients to have on-demand access to these important documents for DDQ purposes. Along these lines, we’ll also soon be providing a GDPR document via our Client Portal, highlighting pertinent details in regards to our GDPR readiness and ongoing compliance commitment.
What are the main concerns you are hearing from clients in relation to the GDPR?
MiFIDII understandably absorbed many firms’ energy and focus throughout 2017. Now that the dust is settling, firms are recognising the regulatory requirement of GDPR and are now fully focused on it. Generally speaking, we’re hearing that regulatory costs and operational energy are of concern. More specifically, there’s concern that the fines for non-compliance will be quite significant. We’re also seeing how the industry is being flooded with fact sheets, blog posts, recommended certifications, etc., making it difficult for firms to decipher between pragmatic guidance and what’s truly required, versus what’s actually an upsell of a service provider’s products.
Will you be providing GDPR advisory services and if so, what will this be?
We do not plan on offering GDPR advisory services, per se, as it could be perceived as a conflict of interest considering we manage and maintain a firm’s IT systems. That being said, though, we see our IT services and platform extending and evolving to assist clients in their journey along continual GDPR compliance. In addition, as part of our strategy to make security an even more integral part of our overall business operations, Abacus Group added a new C-level position in 2017, titled Chief Information Security Officer (CISO), reporting directly to our CEO. Our newly appointed CISO, Dave Parsons, brings 25 years of experience in the IT and security fields, having worked primarily as a private security consultant for some of the largest financial services firms in the world, including Barclays, Deutsche Bank, Citibank and Macquarie Bank. Dave’s vast experience and leadership is poised to further enhance our security products and services.
Based out of the Abacus London Office, Tom Cole manages our UK operation and all Abacus European employees. In this role, Tom is focused on strategy, client service, technical development and business development in the European markets. Prior to Abacus, Tom was the Chief Technology Officer for COMAC Capital (Europe) Ltd (“CCEL”) a multibillion global macro hedge fund. As CTO he led COMAC’s technology strategy, cyber security practices and group business continuity planning. Prior to that he held various technologist roles within Balyasny Asset Management, Glencore and Publicis Groupe. Tom was awarded distinction for MSc studies from the University of Liverpool.