As a transfer agent that manages the records of over 23 million shareholders, EQ already complies with robust data protection requirements surrounding financial services in the U.S. and Canada. The interaction with GDPR, however, is forcing us to carefully review our operations and make changes and enhancements to ensure that our clients remain compliant.
Let's start with an overview of GDPR terminology and its framework, as they relate to shareholder services.
Data subject: owner of the data (in our case, the shareholder)
Data controller: collector of the data (you, the issuer)
Data processer: holder or manipulator of the data (us, the transfer agent)
Personal data: information that identifies a specific living person, or what we in the U.S. would call PII (Personally Identifiable Information)
Lawful basis of processing: one of 6 possible reasons why you, as a data collector, can collect personal data from a data subject without obtaining their consent
Privacy notice: a notice from data controller to the data subject that must be received before the data is collected, explaining why the data is collected and what it's going to be used for
6 bases for lawfully collecting data under the GDPR
- There is a legal requirement to collect data to comply with a law
- There is a contract between the parties that gives the data collector the right to collect
- A data subject explicitly consents to the collection (though their consent can be withdrawn any time)
- There is a legitimate reason where data processing is justified
- When data processing is in the vital interest of the data subject (for example, to save their life)
- Governmental right
What rights does a data subject (shareholder) have?
- They are entitled to be informed, to understand the processing of their data and to receive a copy of the data that is held on them if they so request, without being charged a fee for that data.
- They can request a change to any data that is wrong or misleading.
- They can request erasure (deletion) of data.
- They can object to their data being processed.
- They can request restrictions on the processing of the data.
- They can request that the data be ported or transferred to another service provider.
When can you deny a shareholder's request?
If a shareholder requests that you delete data, stop or restrict the processing of it, you can deny that request if you need the data to operate the service or to meet a legal requirement. For example, if a shareholder requested that his name and address be deleted, we, as the transfer agent, have the right to inform the shareholder that we cannot do the job for them without this data. If they still wanted us to do the work, we could deny their request to delete or restrict processing of the data.
How did we get here?
Over the past 20 years, and more intensely over the last five years, data protection has become a hot political topic in Europe and world-wide. Escalating incidents, from the leakage of national security agencies' data collection practices to voter profiling and targeting, cybercrime, and data breaches, have all led to increased support for greater levels of investigation and enforcement.
Here in the U.S., data protection is governed by the states, and there are limited federal regulations regarding it. Every state has its own rules, which results in a fragmented system. For this reason, the EU considers data protection in the U.S. to be significantly weaker than in the EU.
Through the GDPR, the EU now stipulates that it regards data protection as a human right. Data subjects are deemed to have the right to control their personal data and the use of their personal data. Specifically, they are entitled to know who the data controller is, who they're giving their data to, what data is being collected, what will be done with that data, how their rights will be protected, and who they can contact about that data.
How does it affect shareholder services?
The GDPR outlines three basic tenets for compliance that affect U.S. businesses and their transfer agents.
- Liability: You, the data controller, are required to meet GDPR, and you remain responsible, regardless of how the processing is arranged and contracted. Therefore, an error with a data processor creates a direct compliance issue for the data controller. You are ultimately responsible for what your transfer agent does.
- Contract: Any transmission of data from the data controller (you) to the data processor (EQ) must be accompanied by a contract defining our respective roles, ensuring that you are directing and have effective control over the activities we perform. This means we cannot process (store, transfer, use or analyze) any data regarding a shareholder if it's not explicitly authorized and directed by you.
What you need to do (as the Issuer)
- Make sure your privacy notice is updated and sent to shareholders prior to May 25, 2018. Whether you do it or assign this task to your transfer agent, ultimately, you are responsible for making sure it gets done.
- Work with your transfer agent to ensure that your contract clearly defines the roles each of you has in collecting and processing data.
3. Talk to your transfer agent to make sure you have processes in place by the May 25th deadline to meet any shareholder requests that come in after GDPR is in effect.