Post Top Ad

Your Ad Spot

Monday, May 21, 2018

Interpretations for Privacy Policy and GDPR Compliance

By Cory Roberson, Principal at RIA Review and RIA Consults
What’s does GDPR stand for?

General Data Protection Regulation (GDPR) is a replacement of the EU’s Data Protection Directive (“European privacy policy”) first adopted in 1995.  The regulation now requires businesses in Europe and Abroad to adopt additional safeguards for the protection of client information for its EU citizen clients.  In the context of U.S. based firms with European business, it serves as an extension of their existing privacy policy and procedures.

Applicability Date:  May 25, 2018

How does European Privacy Rules apply to my business in the U.S.?

GDPR applies to:
Firms located in U.S. that conduct business in the EU, share or export big data (controllers)* within the EU, and/or have EU resident clients (e.g. EU Residents, EU citizens, cross border activities, big data/analytics businesses).

GDPR doesn’t apply to:
Firms located in U.S. that have no business operations, data exporting/sharing, nor any clients that are EU residents/citizens.  

Does GDPR require an update to my existing Privacy Policy?
Most firms, in adherence with Regulation S-P, already have a privacy policy that details the protection of client information and the use of their data for business operations.  If your business doesn’t have a privacy policy, then now is a good time to create one.

Firms with EU business operations should enhance their current privacy procedures based on their business practices.  Do you have EU clients/operations?  If so, do you provide an opt-out for sending notifications/using their data?  Do you provide a privacy disclosure to EU citizens?  Do you export/analyze data on a large scale (“controller”)?

Firms can implement an opt-in disclosure for EU residents receiving notifications according to their privacy policy.  For advisors, this disclosure can be added to the firm’s annual offer letter/procedures.

Firms can also review existing privacy and data breaches procedures (EU clients must be notified within 72-hours according to Article 33 of EU GDPR). 

Firms with Internet/Data business (e.g. online robo-advisors, mutual funds, research firms) should adopt an opt-in/opt-out function on their website as online advisors may have business that reaches within the EU.  Review definitions for “controllers” at  We recommend consulting with your IT team or consultant about proper protocols if you haven’t already done so.

Firms with no EU business operations:  No updates needed outside of Reg. S-P regulations.

Firms who share/export data on a large scale (“Controllers”) should identify a data protection officer (DPO) in the EU*

*Controller:  DPO appointment is mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences.  Examples: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Art. 37). Source: (  

Note: The site was recently down.  If site still doesn't work, you can refer to: for more information. 

Generally speaking, firms who are under EU regulatory authority, located in the EU, maintain cross border business operations, and/or big data operations in the EU likely have the greatest implications for examination of additional safeguards from European regulators.  At this point, we do not provide any further interpretation into European regulatory compliance issues.  

Things to consider:

Conduct a risk assessment of sensitive areas (e.g. password protection, storage of records, access of data)
Run an annual or periodic test of data systems/security protection (e.g. many firms hire an IT firm to help with this area)
Refer to general Cybersecurity Checklist in RIA Review

Privacy Policy Notice/Procedures: 
Follow procedures outlined in existing procedures.
Send to client’s annual notice (due within 120 days of firm's fiscal year end)

If you don't have a privacy notice, a template is available online at RIA Review
Short version--covers standard privacy provisions.
Long version - details online/data/cookies provisions. 
GDPR Compliance (only if you do business in EU/have EU clients):
Include a disclosure for EU-Residents of their right to opt-out of communications. 

GDPR Privacy Policy Disclosure/EU Residents Rights: 
Our data is used in connection with services provided for your firm--you can choose to opt-out of receiving future notifications at any time. We have provided a copy of our privacy notices below. 

Our Privacy Policy Disclosures
Firms can review our privacy policy for our use of data.  We may use/share data with our vendors/affiliates in connection with services provided to your firm.  In addition, we are adding security protocols to RIA Review, including two or three factor authentication tools.  

Our Mission: “Serving the Investment Community to Make a Social Impact”

Cory Roberson is Principal of RIA Review, a compliance and document management portal ( - 110+ users and growing.  He is also Principal of RIA Consults -Roberson Consults Group), a consulting firm providing compliance, operations, and business development services for registered investment advisors and next-gen fintech entrepreneurs ( more than 160 SEC & State advisors clients across the US (including a few in Europe).  His third platform, RegTech Review, a FinTech compliance portal site: ( is currently in prototype stage.   

As a social entrepreneur, through his mission-driven arm SoCap Missions (, he provides business support group sessions and has volunteered for more than 15 youth programs in locations such as like S. Korea, China, S. Africa, Thailand, and India.

No comments:

Post a Comment

Post Top Ad

Your Ad Spot