Iain Bonner-Fomes https://alpha-week.com/ en Shoots...Scores! Finally, After All These Years, It's A Goal! https://alpha-week.com/shootsscores-finally-after-all-these-years-its-goal <!-- THEME DEBUG --> <!-- THEME HOOK: 'field' --> <!-- FILE NAME SUGGESTIONS: * field--node--title--features.html.twig x field--node--title.html.twig * field--node--features.html.twig * field--title.html.twig * field--string.html.twig * field.html.twig --> <!-- BEGIN OUTPUT from 'core/modules/node/templates/field--node--title.html.twig' --> <span>Shoots...Scores! Finally, After All These Years, It&#039;s A Goal!</span> <!-- END OUTPUT from 'core/modules/node/templates/field--node--title.html.twig' --> <!-- THEME DEBUG --> <!-- THEME HOOK: 'field' --> <!-- FILE NAME SUGGESTIONS: * field--node--created--features.html.twig x field--node--created.html.twig * field--node--features.html.twig * field--created.html.twig * field--created.html.twig * field.html.twig --> <!-- BEGIN OUTPUT from 'core/modules/node/templates/field--node--created.html.twig' --> <span>Mon, 07/09/2018 - 12:12</span> <!-- END OUTPUT from 'core/modules/node/templates/field--node--created.html.twig' --> <!-- THEME DEBUG --> <!-- THEME HOOK: 'field' --> <!-- FILE NAME SUGGESTIONS: * field--node--body--features.html.twig * field--node--body.html.twig * field--node--features.html.twig * field--body.html.twig * field--text-with-summary.html.twig x field.html.twig --> <!-- BEGIN OUTPUT from 'themes/gavias_vinor/templates/fields/field.html.twig' --> <div class="field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>The long awaited curse is over. </p> <p>No, not England’s win on penalties (yes, I was as amazed as the next person) - it’s the wait for a decent regulation that might actually make things better for everyone.</p> <p>Senior Manager’s and Certification Regime (SM&amp;CR) is coming to all FCA registered firms on December 9th, 2019 (and the insurance industry is a year earlier on Dec 10th, 2018). The FCA plans have been agreed upon as necessary, beneficial, outweigh the cost of implementation many times over and as such will need to be in place next year. </p> <p>SM&amp;CR will oblige all firms to put people in positions of responsibility and make them liable for their actions, making them attest to the control and evidence that they have done so. For those of who do not know this regulation, it has been in place for a while, targeted at firms that have significant industry presence or deemed to be significant on an infrastructure level. These have included any Bank, Building Society, Credit Union, large investment bank or insurance company but this still only represented around 5% of total regulated firms, many of which have been dual regulated by both the FCA and the PRA (i.e the very big firms). Now, it is coming to all. Eyestorm Advisors sees this as a common-sense development for the industry, improving its culture and making sure that its officers are fit and proper, and we are happy to see it being expanded to encompass all regulated firms.</p> <p><strong>Not All Regulations Are Equal</strong></p> <p>Over the past decade, we have seen just about everything challenged, every business practice, process and operational workflow monitored, changed and adapted to suit an ever-burgeoning book of regulation, most of which seems to have been designed by and thought up by politicians and civil servants that have no idea how the markets work, or what the markets do, and just how the business has evolved and why.</p> <p>The law of unintended consequences is something that I speak of a great deal in these articles. Let’s take capital requirements, for example. No one can make an argument that asking banks to hold more capital is a bad idea, right? Except as a consequence of asking them to hold more capital we get the following:</p> <p>1. Outsourcing of risk to investment firms, that hold almost no capital themselves. Mostly, they have only their client’s money.</p> <p>2. Less liquidity in the market as banks retract from market making, so therefore over time spreads will widen, and the cost of transacting will eventually go up as the number of players lessen.</p> <p>3. Less access to new or evolving products, and more restrictive lending practice.</p> <p>So the end result is:</p> <p>1. If someone makes a mistake there is little or no balance sheet to protect the losses.</p> <p>2. Higher costs for the industry, sucking out liquidity and detracting from returns to end customers.</p> <p>3. Less access to capital for new projects for end customers.</p> <p>This is at a time when governments are demanding more lending and more consumer transparency, thus bearing down on costs; this is at a time when people are pouring in to get 2.5% on US Treasuries because they can’t get yield anywhere. Government is saying they want an outcome that helps to boost tax revenues and growth but have established and are maintaining rules that can only lead to the opposite outcome. Why do we not hear this from the industry players? Why are the directors and shareholders not speaking out? Because to do so would be considered heresy by the regulators, media and governments who have tried the industry in the court of public opinion. And until someone comes along with a bigger bogeyman to blame for the world’s ills, then it’s 'toe the line' time.</p> <p><strong>Light At The End Of The Tunnel?</strong></p> <p>Repeal of Dodd-Frank in the US started to look like it may be the market’s saviour and that some common sense might start to be in fashion again. If one governemnt can start rolling back on this type of legislation maybe the others may follow suit. But the “repeal” has been a classic fudge with the Choice Act (something that truly would have replaced Dodd Frank) being rejected by the senate and being sent back as a replacement of existing law. In the end, the changes were small:</p> <p>1. Bank SIFI regulation was amended so the Fed would be able to set more lenient terms for organisations by removing the unindexed $50bn cap and making it $250bn indexed for growth (though for most organisations in institutional business would be far above this weight anyway).</p> <p>2. Some obtuse rules and procedures around lending to mobile home owners and not profiling race on mortgages were changed.</p> <p>3. Credit agencies were given a much lower level of liability for errors, despite the fact that 1 in 4 credit ratings checks have errors, according to a study by the US Govt (am I the only one who thinks this is staggeringly high?)</p> <p>The changes made were a start by the Trump administration but in no way do they effect the mainstream of lending activity or do little to improve the book of regulation that needs to be adhered to; frankly, they are more about the tone of repeal than the effect of it. Most of the actual change has been by directing appointments to the top of bodies such as the FDIC. That can be reversed by a different administration very quickly. However, in changing the tone, it has inspired activity.</p> <p><strong>The Market Rides To The Rescue</strong></p> <p>Despite the lack of true repeal, something has stirred in the US. Local bank lending in the US has been rising four-fold versus major bank lending. This is where we are seeing the real difference to the US as lending is driving the economy forward, with interest rate rises seen as a given. Real wage growth in the US is now running at 0.3% PCM (Annualised close to 3.7%) and unemployment is down to 3.8% and averaged across a basket of counties in states from the rust belt to the prairies of 2.0%. That is realistically zero unemployment, as a number at 2.0% is normally considered as being a churn of existing labour markets.</p> <p>What I believe we are seeing in the USA is the normalisation of business and the 'big means good' model being challenged by fresh players, growing adaptable smaller businesses that can compete. The question for the rest of the world is going to be, “at what point do you try and do the same?”</p> <p>This may be a long time coming. Put simply, they don’t have the means, wherewithal or the desire to do so in Government or Supra- National Government. Where are the smaller lenders to plug these gaps in the EU for example? It is no surprise that across Europe there are a plethora of new hedge funds opening to fill the ever-widening gap between what corporate lending in the major banks is allowed to lend under tightening risk profiles and what the market requires to start projects/achieve growth. PE lending is continuing to grow, companies are de-listing as they see less and less benefit in offering to the public, with ever greater legislation on what they can and cannot do. This is the market trying to plug gaps for the established businesses that need access to lending, but it wont help start-ups and retail lending at all and that’s where the economy is getting its fillip in the US.</p> <p><strong>SM&amp;CR Shows The Way</strong></p> <p>The situation in the US has come about in spite of regulation and not because of it. Perhaps this ought to be shouted from the rooftops a bit more often. The constriction of industry through often needless and over-bearing legislation has formed the opportunity for others to fill the gap and they have taken the opportunity to do so. These new players need to be monitored and controlled appropriately but in a constructive way and that is what SM&amp;CR does.  It sets out to make sure that people in senior roles are appropriate and have the necessary skills and background. It makes them responsible for their actions. It doesn’t hector and it doesn’t tell people how to do their jobs and it doesn’t set out prescriptive rules about how and what must be done by an organisation to the point where compliance removes differentiation. This is an example of what good regulation looks like. It treats the industry and the end customer as adults and not children that must be ordered about or molly-coddled.</p> <p><strong>In Summary</strong></p> <p>The long and short of it is we now have good regulation and bad regulation. The good is that which enables business to function, achieve its goals, makes sure that customers are appropriate for the products they are offered and that market practices are not abused. The prescriptive regulation that tells all how to do every tiny little thing - like most of MIFIR/MiFID II) - is a burden that carries no real benefit. A stripped-out version that captures the essence of what was needed to protect consumers always made more sense. I still can’t work out who it was that determined that this was beneficial; I only know one hedge fund manager that speaks up for enforcing it (most likely because barriers to entry are the only way they would get any business in the first place). I still can’t see how any of it is going to make a catastrophic failure at one business not fall on the next (perhaps someone could write to me, if they know, because I would love a debate about this).</p> <p>Good is SM&amp;CR and MAR. Bad is MiFIR/MIFID II and Dodd Frank/Volcker. It's time for there to be a realisation of this, and a debate about how to stop the nanny state and start business again for the benefit of everyone. After all, the end consumer always ends up paying the price and restrictive practice is what we have now, with little or no value to the people it is supposed to be done on behalf of.</p> <p><em>Iain Bonner-Fomes is the CEO of <strong><a href="https://www.eyestormadvisors.com/">Eyestorm Advisors</a></strong></em></p></div> <!-- END OUTPUT from 'themes/gavias_vinor/templates/fields/field.html.twig' --> <drupal-render-placeholder callback="flag.link_builder:build" arguments="0=node&amp;1=1499&amp;2=bookmark" token="wVywHLiB7zRzMo7KkxbUgs3XPUgTiWjkUW7mDGtPC6A"></drupal-render-placeholder> <!-- THEME DEBUG --> <!-- THEME HOOK: 'field' --> <!-- FILE NAME SUGGESTIONS: * field--node--field-author--features.html.twig * field--node--field-author.html.twig * field--node--features.html.twig x field--field-author.html.twig * field--entity-reference.html.twig * field.html.twig --> <!-- BEGIN OUTPUT from 'themes/gavias_vinor/templates/fields/field--field-author.html.twig' --> <a href="/author/iain-bonner-fomes" hreflang="en">Iain Bonner-Fomes</a> <!-- END OUTPUT from 'themes/gavias_vinor/templates/fields/field--field-author.html.twig' --> <!-- THEME DEBUG --> <!-- THEME HOOK: 'field' --> <!-- FILE NAME SUGGESTIONS: * field--node--field-content-role--features.html.twig * field--node--field-content-role.html.twig * field--node--features.html.twig * field--field-content-role.html.twig * field--list-string.html.twig x field.html.twig --> <!-- BEGIN OUTPUT from 'themes/gavias_vinor/templates/fields/field.html.twig' --> <div class="field field--name-field-content-role field--type-list-string field--label-above"> <div class="field__label">Content role</div> <div class="field__item">AlphaWeek Basic</div> </div> <!-- END OUTPUT from 'themes/gavias_vinor/templates/fields/field.html.twig' --> Mon, 09 Jul 2018 11:12:17 +0000 AlphaWeek Staff 1499 at https://alpha-week.com And They're Off! GDPR Is Live! https://alpha-week.com/and-theyre-gdpr-live <!-- THEME DEBUG --> <!-- THEME HOOK: 'field' --> <!-- FILE NAME SUGGESTIONS: * field--node--title--features.html.twig x field--node--title.html.twig * field--node--features.html.twig * field--title.html.twig * field--string.html.twig * field.html.twig --> <!-- BEGIN OUTPUT from 'core/modules/node/templates/field--node--title.html.twig' --> <span>And They&#039;re Off! GDPR Is Live!</span> <!-- END OUTPUT from 'core/modules/node/templates/field--node--title.html.twig' --> <!-- THEME DEBUG --> <!-- THEME HOOK: 'field' --> <!-- FILE NAME SUGGESTIONS: * field--node--created--features.html.twig x field--node--created.html.twig * field--node--features.html.twig * field--created.html.twig * field--created.html.twig * field.html.twig --> <!-- BEGIN OUTPUT from 'core/modules/node/templates/field--node--created.html.twig' --> <span>Mon, 06/11/2018 - 10:18</span> <!-- END OUTPUT from 'core/modules/node/templates/field--node--created.html.twig' --> <!-- THEME DEBUG --> <!-- THEME HOOK: 'field' --> <!-- FILE NAME SUGGESTIONS: * field--node--body--features.html.twig * field--node--body.html.twig * field--node--features.html.twig * field--body.html.twig * field--text-with-summary.html.twig x field.html.twig --> <!-- BEGIN OUTPUT from 'themes/gavias_vinor/templates/fields/field.html.twig' --> <div class="field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>So, as expected, the runners have been chomping at their bits and within seven days of Live Date, they’re off. Racing vernacular I am aware, but as it has been Derby week and we are about to go into Royal Ascot, so I figured it was appropriate.</p> <p>Already, we have seen two major events. First came TSB, who seem to be able to make a drama out of a crisis and then turn it in to another crisis. We have all read about TSB’s woes with its core banking system change and how most of its customers were left unable to pay bills, access accounts etc. You would think this was bad enough, but the bank that likes to say “Err, Um, I am sure you will get access soon” has decided to send private details of its customers to all its other customers, often referencing account details.</p> <p>The story goes that TSB, in its haste to communicate with its customers, managed to copy everyone to everyone.  John Mann, part of a UK parliament committee investigating the first debacle has stated "They've breached the law (GDPR) and there'll be consequences from it. This information could be used by fraudsters and it will undoubtedly cause people distress.</p> <p>"The fact this is happening six weeks on from their initial problem is very concerning. How long is it going to take for them to fix this?"</p> <p>There is no-one that does indignance better than the politicos; expect fines to be punitive.</p> <p>Next comes the news that NOYB have decided to file massive class action lawsuits at Google and Facebook. NOYB - or “None of Your Business” - is a non-profit organisation privacy activism organisation, headed up by Max Schrems, an Austrian lawyer. The compliant stems from the lack of transparency in these consent forms/privacy statements. By the end of GDPR live day - Friday, 25 May - NOYB sued global platforms with multibillion-euro complaints. 3 complaints against Facebook and two subsidiaries said to be valued at €3.9 billion were filed in the early hours of the morning after GDPR went live, via data regulators in Austria, Belgium and Germany. Another complaint valued at €3.7 billion was lodged with France’s CNIL in the case of Google’s Android operating system.</p> <p><strong>Unintended Consequences?</strong></p> <p>GDPR is the classic example of the law of “unintended” consequences. Let’s assume that the EU commission set out to define a law that would protect private citizen’s data.  Would it have gone about it in this way? You could sum up what was needed in two sentences:</p> <p>1. Make it illegal to share private personal data to anyone else without express consent;</p> <p>2. Protect private data by keeping it in a separate system encrypted and allow reference to this data only when necessary.</p> <p>This would afford us all with the ability to see that we need to take things seriously, that we need private personal data differently and we would know what we have to do about it, so why was it necessary to have 88 pages and 89 articles stuff full of obscure rules that most of them don’t even understand?</p> <p>In the UK we also have the Data Protection Bill 2018, (which does a good job of telling anyone in law enforcement and public bodies what they need to do) but almost completely avoids talking about commercial business because it wasn’t part of anything that the UK could change through derogations.</p> <p>The worst thing about this is that, judging by the cooing from the media, GDPR or something similar will end up being the standard for the world (bar the US). Governments around the world apparently cannot wait to tell corporate giants how to do their business and fine them when they don’t do as they are told, which begs the question as to whether this is about private personal data or just another big stick for Big Government to throw at Big Business. If the latter is the case, why not regulate big business behaviour instead? Why all this fuss and obfuscation? In my opinion, the answer is that they can’t be seen to be against big business because they are the people they support and support them. So, it is done via the back door. If it is not the case that this about controlling big data providers, most of which are US based companies, then someone needs to make a better argument than the ones I have found. </p> <p><strong>What Comes Next?</strong></p> <p>In essence, chaos and confusion. The data privacy experts with political or social objections to profit makers are already licking their lips at the thought of tying up enterprise with law suits that would two weeks ago have been seen as utterly frivolous. Lawyers will begin filing Subject Access Requests on everything and anything, hoping to catch someone off guard; the public will sit back and watch with bemusement, until such times as the lawyers start using legitimate interest rules by contacting them direct to ask whether they have received email that they didn’t ask for. </p> <p>Many good things could come out of this regulation. This is not a snipe at what it is trying to achieve but more the method. At the Infosec conference the main topic of conversation was data privacy and what to do about it. It is a good thing that this is now on the radar for everyone. What is not so good is that the solutions and options that were being recommended were so varied and very often contradictory. The Data Privacy lawyers, the IT consultancies and the business advisories like Eyestorm could not agree on what the issue was, what the solution was and what the next stage should be. They all look at GDPR from a different direction and are reaching different conclusions. If the law was clear we would all meet in the middle.</p> <p><strong>Hedge Funds: The Next Target?</strong></p> <p>Probably not, but not far behind. The fact is that the world, whether we like it or not, has painted our industry with a negative view. Banks are already the “Devil Incarnate” and they are going to need to be braced for punitive fines and bad media coverage. TSB seems to have decided it wants to be first. The problems of deep pockets syndrome and unpopular coverage amongst the general public aren’t going to away any time soon. For these reasons alone, the hedge fund industry needs to be very careful.</p> <p>Be aware that the targeting of any business that the public considers unpopular (or more appropriately the media can paint as such) is where the ICO will start. They will want people to take them seriously and that means targeting all businesses that have seemed to be above the law in the minds of the uninformed. Then add in the potential for lawsuits on top of penal administrative fines and all of a sudden taking the rules seriously doesn’t seem a stretch. The “social justice” advocates will be using this legislation to target anyone they think unworthy, and anyone in our business definitely fits that category for them. </p> <p><strong>In Summary</strong></p> <p>Our advice is simple. Don’t be the one to get caught and do not treat this exercise as something that your business can pay lip-service to. The people on the other side that you are mitigating risk against are not the people you have been led to believe they are. They are not poor Mr. and Mrs. Smith whose data has been lost and has ended up in the hands of a trickster. They are organised, well-funded entities that see GDPR and Data Privacy legislation as a way of either capitalising from our confusion or making sure that we don’t have a business going forward. They are highly motivated, extremely knowledgeable and they will be coming for us. Sooner, rather than later.</p> <p><em>Iain Bonner-Fomes is the CEO of <strong><a href="https://www.eyestormadvisors.com/">Eyestorm Advisors</a></strong></em></p></div> <!-- END OUTPUT from 'themes/gavias_vinor/templates/fields/field.html.twig' --> <drupal-render-placeholder callback="flag.link_builder:build" arguments="0=node&amp;1=1500&amp;2=bookmark" token="HRfVfsVy59KQQExn9GRnyEinvjrM_4M-UCFJQ2hVeLU"></drupal-render-placeholder> <!-- THEME DEBUG --> <!-- THEME HOOK: 'field' --> <!-- FILE NAME SUGGESTIONS: * field--node--field-author--features.html.twig * field--node--field-author.html.twig * field--node--features.html.twig x field--field-author.html.twig * field--entity-reference.html.twig * field.html.twig --> <!-- BEGIN OUTPUT from 'themes/gavias_vinor/templates/fields/field--field-author.html.twig' --> <a href="/author/iain-bonner-fomes" hreflang="en">Iain Bonner-Fomes</a> <!-- END OUTPUT from 'themes/gavias_vinor/templates/fields/field--field-author.html.twig' --> <!-- THEME DEBUG --> <!-- THEME HOOK: 'field' --> <!-- FILE NAME SUGGESTIONS: * field--node--field-content-role--features.html.twig * field--node--field-content-role.html.twig * field--node--features.html.twig * field--field-content-role.html.twig * field--list-string.html.twig x field.html.twig --> <!-- BEGIN OUTPUT from 'themes/gavias_vinor/templates/fields/field.html.twig' --> <div class="field field--name-field-content-role field--type-list-string field--label-above"> <div class="field__label">Content role</div> <div class="field__item">AlphaWeek Basic</div> </div> <!-- END OUTPUT from 'themes/gavias_vinor/templates/fields/field.html.twig' --> Mon, 11 Jun 2018 09:18:41 +0000 AlphaWeek Staff 1500 at https://alpha-week.com GDPR Countdown: Overseas Movements And Third Countries https://alpha-week.com/gdpr-countdown-overseas-movements-and-third-countries <!-- THEME DEBUG --> <!-- THEME HOOK: 'field' --> <!-- FILE NAME SUGGESTIONS: * field--node--title--features.html.twig x field--node--title.html.twig * field--node--features.html.twig * field--title.html.twig * field--string.html.twig * field.html.twig --> <!-- BEGIN OUTPUT from 'core/modules/node/templates/field--node--title.html.twig' --> <span>GDPR Countdown: Overseas Movements And Third Countries</span> <!-- END OUTPUT from 'core/modules/node/templates/field--node--title.html.twig' --> <!-- THEME DEBUG --> <!-- THEME HOOK: 'field' --> <!-- FILE NAME SUGGESTIONS: * field--node--created--features.html.twig x field--node--created.html.twig * field--node--features.html.twig * field--created.html.twig * field--created.html.twig * field.html.twig --> <!-- BEGIN OUTPUT from 'core/modules/node/templates/field--node--created.html.twig' --> <span>Mon, 05/14/2018 - 14:22</span> <!-- END OUTPUT from 'core/modules/node/templates/field--node--created.html.twig' --> <!-- THEME DEBUG --> <!-- THEME HOOK: 'field' --> <!-- FILE NAME SUGGESTIONS: * field--node--body--features.html.twig * field--node--body.html.twig * field--node--features.html.twig * field--body.html.twig * field--text-with-summary.html.twig x field.html.twig --> <!-- BEGIN OUTPUT from 'themes/gavias_vinor/templates/fields/field.html.twig' --> <div class="field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>GDPR changes the nature of who is deemed appropriate to receive data with regards to third countries. Data controllers and processors are deemed to have to abide by restrictions hence the reason you have received hundreds of emails from every cloud-based company looking to offlay their responsibilities back to you and your business (which, by the way, they can’t, but want you to think they can).</p> <p>Like the passporting regime, it is the EU that determines who are the appropriate countries.The list therefore looks much like the scoring at the Eurovision Song Contest with the ridiculous situation that sending data to Argentina (Spain wanted it) is fine but sending to Australia or the US (UK wanted it) isn’t. The US has had two different attempts to address this concern; Safe Harbor(sic) &amp; Privacy Shield. Safe Harbor failed and it looks as if Privacy Shield is about to go the same way. Not to worry though, all of this is unnecessary as long as you know how to establish your own adequacy.  If only the industry could be given the same opportunity with passporting!!</p> <p>Data is and always was global and available but now it isn’t? As data controllers and/or processors we have a duty to make data secure and to follow regulations but for who, where and when. The best to establish this for our own uses is to look at where data flows to and address each movement. These break down into 3 main categories.</p> <p>1. Data you collect in the European Economic Area (EEA) and associated approved countries. The EEA countries are currently the EU countries plus Iceland, Liechtenstein and Norway. Include in this countries or dominions that have adequate coverage and protection according to the EU commission (2nd countries).  These are Andorra, Argentina, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.</p> <p>2. Data you collect in the EEA and need to use outside (3rd countries)</p> <p>3. Data you collect outside the EEA and may or may not process in the EEA</p> <p><strong>How to Navigate the New World</strong></p> <p>Section 1.</p> <p>If you collect it and retain it and it never leaves these countries, you know to follow GDPR and you must make sure everyone you send to as a data processor also follows the rules of GDPR.  If you collect it in the 2nd countries and send it elsewhere you don’t have to follow GDPR, but as this is best practice and its easier than running two operating models our advice would be to do so.</p> <p>Section 2.</p> <p>This is the area that most seem to be concerned about but can be mitigated very easily, if the rules are understood. There are two methods to apply - either contracts or Binding Corporate Rules (BCR) (we will discuss those and the most appropriate usage later).  Bear in mind that if you are sending something between two countries in section 1, and the data passes (without being manipulated) through a country not in section 1, this isn’t considered transfer outside; it will be considered as remaining within.</p> <p>Section 3.</p> <p>If you collect it outside, it is not covered by GDPR. It does not matter if it is about any EU citizen. (this is probably the biggest scope mistake). If you then send it into the EEA it will be the responsibility of who receives it to follow the rules, as it will become data residing inside the EEA and the duty will be to process it lawfully.  If you send it elsewhere then you are good to go, following the rules of the country you are in. The way data privacy legislation is being adopted, you will most likely find a large part of the GDPR and or Data Protection Bill (UK) will be adopted elsewhere. But be advised, it is best to think about one model for the future.</p> <p><strong>Methods of Transferring Outside</strong></p> <p>The most appropriate way is to have contracts between your organisation in the section 1 country and the other country. This will clearly state that the data sent from inside will need to be handled in the same way as if it is still inside i.e. compliant with GDPR. That means paperwork and lots of it again. Our suggestion would be to have a contract that everyone outside adheres to. If you are a business who has a head office in a third country, you will most likely be consolidating data outside. If this can be anonymised, do so, if it cannot (HR data for example), then the best way to do so is through contract. </p> <p>This also works for third party contracts on a peer to peer basis. If you wish to deal with third parties outside your organisation you can use this method too, or you can adopt Binding Corporate Rules.</p> <p>BCRs are more effective when being used amongst collectives rather than a single organisation. Think of them as a standard that everyone will set and maintain between many companies rather than individual contract between your company and another. If you are involved in joint enterprise, joint marketing, consolidation, BCRs will be best used to give everyone a framework and make sure everyone understands their collective obligations.</p> <p><strong>Establishing Adequacy</strong></p> <p>“A data controller may only transfer personal data outside the EEA to a country whose data protection laws have not been approved by the European Commission as providing adequate protection for data subjects’ rights if there is an adequate level of protection for the rights of data subjects.”</p> <p>The adequacy of the level of protection associated with a particular transfer may be ensured in a number of ways. The data controller can carry out his own assessment of the adequacy of the protection; or rely on one of the exceptions to the prohibitions on transfers of personal data outside the EEA. But most importantly, by setting up contractual obligations or BCRs and conducting a DPIA assessment your business can send data anywhere it wishes. It is important to recognise that you must maintain this, ensure it’s compliant and undertake audit/due diligence regularly. If it’s your head office, for example, you need to make sure that they agree not to send the data on elsewhere without approval or contractual basis. Your business needs to maintain control.</p> <p>The standards based Privacy Shield was a US attempt to create a standard for US companies that they could adhere to, so they wouldn’t need to have everyone conduct a DPIA every time they wanted to engage with a US company, but as one can see from my above descriptions of process it is deemed by most as overkill and as the EU changes its rules all the time, especially when dealing with the dreaded USA, it is difficult to adhere to.</p> <p><strong>In Summary</strong></p> <p>The best thing to do with data collected anywhere is keep it where it is, but the fact is that this isn’t very practical, doesn’t aid efficiency and will likely increase costs. If it doesn’t need to move outside don’t do it unless the benefits outweigh the costs. As always, documentation is the key to success, but this doesn’t help maintain compliance, it only establishes it. Automation and transparency is once again the best way to monitor and maintain compliance. Evidence and control can be best established by connecting all components in your data flow within this. Most important for your business is to recognise the days of bulking up data and sending just in case are a thing of the past. Treat your personal data as separate, and distribute with care; and most of all, use the contract process effectively. Taking the decision yourselves always works better than allowing the authorities to decide.</p> <p><em>Iain Bonner-Fomes is the CEO of <strong><a href="https://www.eyestormadvisors.com/">Eyestorm Advisors</a></strong></em></p></div> <!-- END OUTPUT from 'themes/gavias_vinor/templates/fields/field.html.twig' --> <drupal-render-placeholder callback="flag.link_builder:build" arguments="0=node&amp;1=1501&amp;2=bookmark" token="j03yGUkZFXbYiYsY1mAXUS9PkflP8UTZFXA_BZCJBiE"></drupal-render-placeholder> <!-- THEME DEBUG --> <!-- THEME HOOK: 'field' --> <!-- FILE NAME SUGGESTIONS: * field--node--field-author--features.html.twig * field--node--field-author.html.twig * field--node--features.html.twig x field--field-author.html.twig * field--entity-reference.html.twig * field.html.twig --> <!-- BEGIN OUTPUT from 'themes/gavias_vinor/templates/fields/field--field-author.html.twig' --> <a href="/author/iain-bonner-fomes" hreflang="en">Iain Bonner-Fomes</a> <!-- END OUTPUT from 'themes/gavias_vinor/templates/fields/field--field-author.html.twig' --> <!-- THEME DEBUG --> <!-- THEME HOOK: 'field' --> <!-- FILE NAME SUGGESTIONS: * field--node--field-content-role--features.html.twig * field--node--field-content-role.html.twig * field--node--features.html.twig * field--field-content-role.html.twig * field--list-string.html.twig x field.html.twig --> <!-- BEGIN OUTPUT from 'themes/gavias_vinor/templates/fields/field.html.twig' --> <div class="field field--name-field-content-role field--type-list-string field--label-above"> <div class="field__label">Content role</div> <div class="field__item">AlphaWeek Basic</div> </div> <!-- END OUTPUT from 'themes/gavias_vinor/templates/fields/field.html.twig' --> Mon, 14 May 2018 13:22:49 +0000 AlphaWeek Staff 1501 at https://alpha-week.com ICO : “It Is An Evolution Not A Revolution" https://alpha-week.com/ico-it-evolution-not-revolution <!-- THEME DEBUG --> <!-- THEME HOOK: 'field' --> <!-- FILE NAME SUGGESTIONS: * field--node--title--features.html.twig x field--node--title.html.twig * field--node--features.html.twig * field--title.html.twig * field--string.html.twig * field.html.twig --> <!-- BEGIN OUTPUT from 'core/modules/node/templates/field--node--title.html.twig' --> <span>ICO : “It Is An Evolution Not A Revolution&quot;</span> <!-- END OUTPUT from 'core/modules/node/templates/field--node--title.html.twig' --> <!-- THEME DEBUG --> <!-- THEME HOOK: 'field' --> <!-- FILE NAME SUGGESTIONS: * field--node--created--features.html.twig x field--node--created.html.twig * field--node--features.html.twig * field--created.html.twig * field--created.html.twig * field.html.twig --> <!-- BEGIN OUTPUT from 'core/modules/node/templates/field--node--created.html.twig' --> <span>Mon, 04/30/2018 - 13:26</span> <!-- END OUTPUT from 'core/modules/node/templates/field--node--created.html.twig' --> <!-- THEME DEBUG --> <!-- THEME HOOK: 'field' --> <!-- FILE NAME SUGGESTIONS: * field--node--body--features.html.twig * field--node--body.html.twig * field--node--features.html.twig * field--body.html.twig * field--text-with-summary.html.twig x field.html.twig --> <!-- BEGIN OUTPUT from 'themes/gavias_vinor/templates/fields/field.html.twig' --> <div class="field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>“It is an evolution not a revolution”.  </p> <p>The Information Commissioner’s Office (ICO) mantra.</p> <p>Over the past six weeks, I am sure that, like me, you have heard this from all sides, from traditional media and social media.  So, nothing to fear, you have seen it all before, you can adapt, and it will be easy and painless as you already understand.</p> <p>Collectively we should analyse this statement and see if it holds up under scrutiny.</p> <p>Key concerns amongst the investment industry are that GDPR comes at a time when regulatory fatigue is at breaking point. The number of people deployed, and the amount of both intellectual and physical capital that has been exhausted in meeting the new regulations since 2007, has reached such epic proportions that had most known this was going to be the ever-changing cycle, many would have packed up ten years ago. The movements are challenged by two conflicting views; on one side, that self-regulation failed and that it is now beholden on governments, regulators and supra-national bodies to tell us what we can and cannot do, and the conflicting view that this was not really the industry’s fault and that really the failures came from government, central banks and panic and outcry from the circumstances created by their failure to control money supply. This then led to finding a scapegoat, which became the finance industry itself. The truth is somewhere in the middle. </p> <p>The response, however, has not been in the middle.  It has been a one-sided attack on business practice, with the public sector admonishing itself of all responsibility. Not particularly edifying. One thing that is noticeable about GDPR is that it regulates the public sector more stringently than the private. This is so rare in today’s context that it should be shouted from the rooftops.  Perhaps the balance is finally being addressed in one small way but there is no doubt that the industry sees another regulation - hot on the heels of everything that has gone before - as the straw that is breaking the camel’s back.</p> <p><strong>Evolutionary</strong></p> <p>Evolution suggests that the start point is the end of the previous iteration. The Data Protection Act (DPA) in the UK covers a great many number of the issues that are now being addressed forthrightly in GDPR.</p> <p>1. Marketing</p> <p>This was addressed robustly in the previous regulation and in this most sensitive of areas they are correct in stating that it is evolving.  If one were to look at most of the commentary around GDPR in early project discussions it has been with sales and marketing that most concerns have come to the fore.  Who can I talk to? How can I talk to them? Do I get have to get consent to do so? These have been the largest and longest of discussions. Most people now recognise that they don’t need someone’s consent to contact them. It needs to be proportionate and needs to stop when asked to; common sense prevails.</p> <p>2. Personal Data Requests (Now called Subject Access Requests)</p> <p>The other area where we see evolution is in notification and subject access requests.  The medical industry is ahead of the other sectors with this as people have understood their right to see their medical files for at least a decade, if not more. This is a Subject Access Request and has been enabled in the DPA for a great deal of time. Reporting and notification times were 45 days - now 30 -but with a right to extend a further 60 days if the query is arduous or convoluted. This is pure evolution. The access and then right to amend and forgotten are already in place (one can argue they are ineffective, but they are there). In this, the ICO is correct. One area of meaningful change is that fees can no longer to be charged under GDPR, unless repetitive or excessive, where they could be charged for under the DPA. It’s more cost the industry will have to absorb, but definitely an evolution.</p> <p><strong>In the Middle</strong></p> <p>1. Penalties</p> <p>The administrative fines are going to be able to be made much, much, bigger, (up to 4% of your group turnover), but the regulator can fine you today so in that sense it’s an evolution. Do they? Well you can argue they do, but the counter argument that they are not meaningful, or in most cases that they don’t, probably has greater weight. What is noticeable is the number of data privacy breaches that companies are now bringing to the fore just before the fine levy increases are imposed; this is almost an amnesty when you see the size of the potential punishment. I would argue that really that’s revolutionary because the criminal sanctions that have been added and the size differences change the entire tone of the engagement between ourselves and the regulators but both sides have a case in arguing to either evolution or revolution.</p> <p><strong>Revolutionary</strong></p> <p>1. Scope</p> <p>This is vastly enhanced and largely covers just about everyone on the planet under several circumstances. So much so that companies now must have an EU representative organisation to become the bearer of fines and regulatory scrutiny. It enforces policy on businesses outside EU jurisdictions by stealth and third-party engagement.</p> <p>2. Security</p> <p>Design of all systems ongoing to derive privacy by design. It will mean back to the drawing board for many systems and make some which have already been developed unfit for use in the EU or by businesses servicing EU customers. Luckily it isn’t retrospective, but it will force momentous change in the future. Systems were never covered in the DPA.</p> <p>3. New or Enhanced Roles</p> <p>Data Controller – Criminal liability for misuse of personal data (PII) - Prison.</p> <p>Data Protection Officers (DPOs) are now mandatory for public bodies, and pretty much necessary for anyone selling retail. Most investment funds, unless trading private proprietary money, should be thinking about at least an outsourced DPO (<strong><a href="https://www.alpha-week.com/news/data-protection-officers-be-or-not-be">see my previous article in AlphaWeek</a></strong>). In the past, it was a message that said we record your calls before you get connected, for most businesses (largely due to the Privacy in Electronic Communications Act).</p> <p>4. Opt-ins</p> <p>Marketing brochures need to be amended but more importantly organisations must make it as easy for people to stop a service as it is to start one. This has all sorts of connotations for business as it could be months of work being opted out of in seconds due to enabling this through automation.</p> <p>5. Children</p> <p>This isn’t a big topic for our business as finance rules restrict most of our business to adults, but it is noticeable that children are no longer allowed to give informed consent and that definitions for children vary across most EU countries as they choose them through derivations.  A cost to the trust - private trust business possibly.</p> <p>6. Record Keeping</p> <p>This is vastly different. The level of documentation required and the nature of the decision-making process through to the Data Privacy Impact Assessments that must be conducted mean huge overheads.</p> <p>7. Breach Reporting</p> <p>It’s now mandatory to report a breach within 72 hours if data privacy has been impacted. This will require a team not unlike Business Continuity to be put in to place inside most decent size firms, with clear actions and procedures as there will not be enough time in the event of an episode to agree amongst participants. This represents a huge change from reactive and non-disclosed breach reporting.</p> <p>8. Encryption and pseudonymisation</p> <p>Some mandatory encryption and pseudonymisation of personal data with regards to special interests and sensitive information is now required. More importantly, the regulation uses its standard phrase of ‘appropriate organisational and technical measures’ to prevent unauthorised data spills. This means that whatever the ICO decides is appropriate is the standard to which you will be held. Businesses will not know what that is until we have enough case law precedence which means for the first few years it will be whatever the ICO, with the benefit of hindsight, thinks. It’s not a happy situation and much less happy if it’s you they are investigating. Beware.</p> <p>9. International Transfers</p> <p>GDPR changes the nature of who is deemed appropriate to receive data with regards to third countries. Data controllers and processors are deemed to have to abide by restrictions hence the reason you have received hundreds of emails from every cloud-based company looking to offlay their responsibilities back to you and your business (which by the way they can’t but want you to think they can).</p> <p>Like the passporting regime, it is the EU that determines who are the appropriate countries. So, it looks like the scoring at the Eurovision Song Contest with the ridiculous situation that sending data to Argentina (Spain wanted it) is fine but sending to Australia or the US (UK wanted it) isn’t. The US has had two different attempts to address this concern; Safe Harbor(sic) &amp; Privacy Shield. Safe Harbor failed and it looks as if Privacy Shield is about to go the same way.</p> <p>It is possible through Binding Corporate Rules (BCR) to circumvent these problems, and pre-BCR approval by the EU was removed. So at least, for the time being, business can send to third countries without the EU’s say so, but if business does not audit and make checks on third country suppliers to make sure they upkeep GDPR standards, that will change. I will address this in greater detail in my next article.</p> <p><strong>In Summary</strong></p> <p>If this isn’t a revolution, I don’t know what is.  The Investment Industry is going to find itself coming under intense scrutiny (it’s got deep pockets and is an easy target) sooner than it thinks. Judging from my own deliberations with the market, that of my fellow professionals, and the <strong><a href="https://www.alpha-week.com/news/new-survey-reveals-most-financial-firms-are-not-prepared-gdpr">collective surveys being undertaken</a>,</strong> the industry is woefully under-prepared. Addressing this, is going to significantly increase the cost of compliance either in manual processes with more people or automation.  We would recommend the latter or this will become a never-ending cycle of remediation, degrading compliance and then back to remediation. Put simply, the ICO is featherbedding the impact of this (no doubt for the best of reasons, i.e. not to cause panic) and the industry will wake soon to the realisation that the impact on their business is going to be truly significant and that most of them have left themselves vulnerable to an extinction level event that needed fixing yesterday.  </p> <p><em>Iain Bonner-Fomes is the CEO of <strong><a href="https://www.eyestormadvisors.com/">Eyestorm Advisors</a></strong></em></p></div> <!-- END OUTPUT from 'themes/gavias_vinor/templates/fields/field.html.twig' --> <drupal-render-placeholder callback="flag.link_builder:build" arguments="0=node&amp;1=1502&amp;2=bookmark" token="_3cy3S83RC5d92gdUtJma9t8dbeY9CykfLu3APQdgjU"></drupal-render-placeholder> <!-- THEME DEBUG --> <!-- THEME HOOK: 'field' --> <!-- FILE NAME SUGGESTIONS: * field--node--field-author--features.html.twig * field--node--field-author.html.twig * field--node--features.html.twig x field--field-author.html.twig * field--entity-reference.html.twig * field.html.twig --> <!-- BEGIN OUTPUT from 'themes/gavias_vinor/templates/fields/field--field-author.html.twig' --> <a href="/author/iain-bonner-fomes" hreflang="en">Iain Bonner-Fomes</a> <!-- END OUTPUT from 'themes/gavias_vinor/templates/fields/field--field-author.html.twig' --> <!-- THEME DEBUG --> <!-- THEME HOOK: 'field' --> <!-- FILE NAME SUGGESTIONS: * field--node--field-content-role--features.html.twig * field--node--field-content-role.html.twig * field--node--features.html.twig * field--field-content-role.html.twig * field--list-string.html.twig x field.html.twig --> <!-- BEGIN OUTPUT from 'themes/gavias_vinor/templates/fields/field.html.twig' --> <div class="field field--name-field-content-role field--type-list-string field--label-above"> <div class="field__label">Content role</div> <div class="field__item">AlphaWeek Basic</div> </div> <!-- END OUTPUT from 'themes/gavias_vinor/templates/fields/field.html.twig' --> Mon, 30 Apr 2018 12:26:58 +0000 AlphaWeek Staff 1502 at https://alpha-week.com Data Privacy - Who Are We Really Looking After? A Positive Case For Compliance https://alpha-week.com/data-privacy-who-are-we-really-looking-after-positive-case-compliance <!-- THEME DEBUG --> <!-- THEME HOOK: 'field' --> <!-- FILE NAME SUGGESTIONS: * field--node--title--features.html.twig x field--node--title.html.twig * field--node--features.html.twig * field--title.html.twig * field--string.html.twig * field.html.twig --> <!-- BEGIN OUTPUT from 'core/modules/node/templates/field--node--title.html.twig' --> <span>Data Privacy - Who Are We Really Looking After? A Positive Case For Compliance</span> <!-- END OUTPUT from 'core/modules/node/templates/field--node--title.html.twig' --> <!-- THEME DEBUG --> <!-- THEME HOOK: 'field' --> <!-- FILE NAME SUGGESTIONS: * field--node--created--features.html.twig x field--node--created.html.twig * field--node--features.html.twig * field--created.html.twig * field--created.html.twig * field.html.twig --> <!-- BEGIN OUTPUT from 'core/modules/node/templates/field--node--created.html.twig' --> <span>Mon, 04/16/2018 - 14:33</span> <!-- END OUTPUT from 'core/modules/node/templates/field--node--created.html.twig' --> <!-- THEME DEBUG --> <!-- THEME HOOK: 'field' --> <!-- FILE NAME SUGGESTIONS: * field--node--body--features.html.twig * field--node--body.html.twig * field--node--features.html.twig * field--body.html.twig * field--text-with-summary.html.twig x field.html.twig --> <!-- BEGIN OUTPUT from 'themes/gavias_vinor/templates/fields/field.html.twig' --> <div class="field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>“Probably the worst word they could have used.” This is a quote from a very senior cyber security professional that my company engaged with soon after hearing about GDPR in 2015. I assumed, for a while, that he meant “Global” because we all had presumed (wrongly) that the “General” was actually “Global” in General Data Protection Regulation. We all felt that the EU was attempting to extend its powers beyond its borders. It was only after delving deeper we realised that he meant Data.</p> <p>His opinion was that it would be given to the wrong people to work out a solution. Then I understood; it isn’t IT and it isn’t about Data. It’s about control of your environment and misuse of data and misuse of business processes; giving this to IT people to solve will only lead to the motive behind the legislation becoming diluted. I had to agree.</p> <p>The rules around regulation since the crash of the market in 2008 have one thing that is consistent across all. From banks to brokers, from AI managers to traditional long only funds, from HFTs to their exchanges counterparts, the rules are applied to control operations and behaviours to make them transparent to the regulators, Governments and the public combined. No country or supranational body has written rules that address the way things must be done and how to do them. They have set guidelines that they wish people to achieve and they have layered those guidelines on top of each other with every move.  SMR covers areas that MAR covers, that covers areas that MiFIR does, etc.  and none of that is about the data and neither is this. If you are doing data audits, stop and think again. <em>You need to be auditing your processing of that data, not what it is</em>. It’s your processes you need to control and good rules around the data follow from that.</p> <p>GDPR and the DPB are another attack on the perceived lack of control and lackadaisical mindset of business when it comes to thinking about the public at large. Interestingly though, they haven’t stopped this at our industry, but made the scope of the legislation to include all companies, public authorities and government. The Investment industry and its wider financial services cousins were for once, not the first target. The big data companies like Google, Facebook and Amazon are clearly in the crosshairs first, hence they have been trying to manage this problem for two years. This does not mean for one second that we can hope to hide in plain sight.  The regulations are working together and will be used by financial services regulators as another determination of whether appropriate controls and behaviours of organisations are in place, and the finance industry is way behind in its response to this. Apathy, along with regulatory fatigue, are the primary culprits, in Eyestorm Advisors’ opinion.</p> <p>In case of point, many of the rules that GDPR is looking to pursue with such vigour are already in place but not so one would know it.  The Data Protection Act (UK regulation GDPR is superseding) already makes it possible for an individual to check which information you hold upon them (GDPR names them Subject Access Requests). Marketing has strict rules that prevent who can be contacted by what medium and what is deemed reasonable.</p> <p>So why the big deal now?</p> <p>Sheer weight of purpose, of course. The full force of the law is going to fall on those that deem these things to be “optional”, as one could say they are now. The recommendation to most business in the past has been that the law doesn’t take this particularly seriously (a maximum fine of £500,000 is not small but to a multi-national, it really doesn’t warrant panic) and the reputational risk is probably the biggest reason to do the right thing rather than the statutory responsibility.</p> <p>All change!</p> <p>The administrative fines are going to be able to be made much, much, bigger, (up to 4% of your group turnover). This should make anyone stop and take this seriously. Funds should also be very worried about the threat of class action lawsuits and the reputational risk of data breaches made whole through lack of control.</p> <p>Put yourself in the minds of your customers. Would you keep your money with a fund that can’t look after your personal details? How effective will the management of money be if asset managers must manage to pay the fines from their fees? The adage that “the customer always pays for every fine” is something that your investors are going to take very seriously. Let them down with this and you are deemed to be untrustworthy; not a good place to be.</p> <p>Next, there are also mandatory reporting times of 72 hours for breaches that may affect a data subject’s privacy (a data subject is the living person who loaned you their personal data for you to keep secure). Hiding from the regulator and smoothing things over is not the way to be meeting your obligations. Fines will be punitive for covering up and criminal charges will be brought. The regulators have specifically requested and been given this power. They will use it.</p> <p>This is not a tick box exercise. Recently, we have seen companies (software and consulting firms) offering to make sizeable organisations compliant in a few days, mostly by giving them an App to use. Managing lots of other peoples’ money comes with obligations and compliance cost and the market is looking to spend as little as it can. However, any business that thinks that this a regulation they can pay lip-service to needs to ask themselves this question. When the ICO comes to audit our organisation on the back of a complaint, what will they be satisfied with? Anyone who has been audited by the FCA, PRA or any other of the financial regulators around the globe will be fully cognisant of the type of response an asset management company is likely to receive if it shows that it has not taken its obligations seriously. The regulations around GDPR have criminal sanctions attached to them for senior individuals deemed responsible. C-suite executives minds are being challenged, their approach to this is being questioned and “sticking plaster” simply will not do. The DPB goes even further making all data relevant to the rules and not just privacy data, so any thoughts that, post-Brexit, the burden may be lessened, is incorrect. It is going to be more stringent, not less. A comprehensive review and automation to make the tasks less onerous are going to be a must.</p> <p>So, Who Are You Really Looking After?</p> <p>1. Yourselves.</p> <p>No, seriously. The criminal sanctions alone make this a potential prison sentence for those that aren’t treating their obligations seriously. Health and Safety Legislation, when introduced, was seen as being optional and aspirational when first applied. Criminal convictions followed and now everyone takes their obligations as sacrosanct. If the idea of prison doesn’t worry you, then the reality of it might.</p> <p>2. Your Customers.</p> <p>It is in the best interest of any fund to have absolute trust between themselves and their customers/clients/investors. I wouldn’t wish to care to explain to my investors how I had managed to lose their personal data. I am sure that no one would. Funds need to recognise that one severe breach could become an extinction level event.</p> <p>3. The Integrity of the Industry.</p> <p>Too many bad headlines in the newspapers. Too many damning articles on TV news.  No one wants to see that situation return. The industry has a chance to win this one and be properly compliant and show the way to the rest of business, and the public sector. Our industry knows how to deliver complex regulation has the mechanisms to do so. A bit of good publicity would come as a welcome riposte to the tidal wave of criticism we have all had to endure.</p> <p>The positive advantages of being compliant need their case made.</p> <p><em>Iain Bonner-Fomes is the CEO of <strong><a href="https://www.eyestormadvisors.com/">Eyestorm Advisors</a></strong></em></p></div> <!-- END OUTPUT from 'themes/gavias_vinor/templates/fields/field.html.twig' --> <drupal-render-placeholder callback="flag.link_builder:build" arguments="0=node&amp;1=1503&amp;2=bookmark" token="n65xAdP5tTMa8NA5LBw6t3BS9CSzjDmVLLi5tTHy9oA"></drupal-render-placeholder> <!-- THEME DEBUG --> <!-- THEME HOOK: 'field' --> <!-- FILE NAME SUGGESTIONS: * field--node--field-author--features.html.twig * field--node--field-author.html.twig * field--node--features.html.twig x field--field-author.html.twig * field--entity-reference.html.twig * field.html.twig --> <!-- BEGIN OUTPUT from 'themes/gavias_vinor/templates/fields/field--field-author.html.twig' --> <a href="/author/iain-bonner-fomes" hreflang="en">Iain Bonner-Fomes</a> <!-- END OUTPUT from 'themes/gavias_vinor/templates/fields/field--field-author.html.twig' --> <!-- THEME DEBUG --> <!-- THEME HOOK: 'field' --> <!-- FILE NAME SUGGESTIONS: * field--node--field-content-role--features.html.twig * field--node--field-content-role.html.twig * field--node--features.html.twig * field--field-content-role.html.twig * field--list-string.html.twig x field.html.twig --> <!-- BEGIN OUTPUT from 'themes/gavias_vinor/templates/fields/field.html.twig' --> <div class="field field--name-field-content-role field--type-list-string field--label-above"> <div class="field__label">Content role</div> <div class="field__item">AlphaWeek Basic</div> </div> <!-- END OUTPUT from 'themes/gavias_vinor/templates/fields/field.html.twig' --> Mon, 16 Apr 2018 13:33:33 +0000 AlphaWeek Staff 1503 at https://alpha-week.com Data Protection Officers - To Be or Not to Be? https://alpha-week.com/data-protection-officers-be-or-not-be <!-- THEME DEBUG --> <!-- THEME HOOK: 'field' --> <!-- FILE NAME SUGGESTIONS: * field--node--title--features.html.twig x field--node--title.html.twig * field--node--features.html.twig * field--title.html.twig * field--string.html.twig * field.html.twig --> <!-- BEGIN OUTPUT from 'core/modules/node/templates/field--node--title.html.twig' --> <span>Data Protection Officers - To Be or Not to Be?</span> <!-- END OUTPUT from 'core/modules/node/templates/field--node--title.html.twig' --> <!-- THEME DEBUG --> <!-- THEME HOOK: 'field' --> <!-- FILE NAME SUGGESTIONS: * field--node--created--features.html.twig x field--node--created.html.twig * field--node--features.html.twig * field--created.html.twig * field--created.html.twig * field.html.twig --> <!-- BEGIN OUTPUT from 'core/modules/node/templates/field--node--created.html.twig' --> <span>Mon, 04/02/2018 - 12:37</span> <!-- END OUTPUT from 'core/modules/node/templates/field--node--created.html.twig' --> <!-- THEME DEBUG --> <!-- THEME HOOK: 'field' --> <!-- FILE NAME SUGGESTIONS: * field--node--body--features.html.twig * field--node--body.html.twig * field--node--features.html.twig * field--body.html.twig * field--text-with-summary.html.twig x field.html.twig --> <!-- BEGIN OUTPUT from 'themes/gavias_vinor/templates/fields/field.html.twig' --> <div class="field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>One of the most hotly debated topics as we look towards the “Brave New World” of GDPR and Data Privacy legislation is the role and responsibilities of the Data Protection Officer (DPO) and whether a hedge fund or private equity firm should or needs to have one. In contemplating this, fund managers have looked first to their legal advisers, then to the regulation texts, and then to clarification from the regulators.  As is so often with regulation that stems from “aspirational” notions of the “wouldn’t it be nice” crowd, the regulation has been written to encompass just about everything and everyone, without fully understanding if it is practical to do so - and the side effects.</p> <p>Most of this debate comes from assumptions being made by participants and experts in the market that have been extrapolated from one context to be conflated with another. They boil down to two opinions:</p> <ul><li>A staff headcount of less than 100 or 250 means our fund will not need a DPO</li> <li>The DPO is a role that should (or should not) be conducted by a member of staff/director of the company</li> </ul><p>Fund managers believe the regulation is ambiguous and therefore the answer is the opinion with which it suits you to agree. Like most financial services regulation when it first comes to be enacted, hedge fund and private equity firms are cherry picking the opinion that suits them best. “We placed our own interpretation on the recommendations” is a stock phrase which has been bandied about for years. Unfortunately, we don’t have the luxury of that approach to the upcoming GDPR legislation and so we need to look for the clues.</p> <p>In October 2017 the ICO published a list of charges (consultation has now ended) for their services that they will be expecting companies to pay. These are based on turnover, headcount and number of records processed. They are:</p> <p><strong>Tier 1: Small and medium firms that do not process large volumes of data</strong></p> <p>Staff headcount below 250; and<br /> Turnover below £50M per annum; and<br /> Number of records processed under 10,000</p> <p><strong>Tier 2: Small and medium firms that process large volumes of data</strong></p> <p>Staff headcount below 250; and<br /> Turnover below £50M per annum; and<br /> Number of records processed above 10,000</p> <p><strong>Tier 3: Large businesses</strong></p> <p>Staff headcount above 250; and<br /> Turnover above £50M per annum</p> <p><strong>Direct marketing top up</strong></p> <p>Organisations that carry out electronic marketing activities as part of their business.</p> <p>The proposed amounts are:</p> <p>Tier 1: annual fee of <strong>up to</strong> £55<br /> Tier 2: annual fee of <strong>up to</strong> £80<br /> Tier 3: annual fee of <strong>up to</strong> £1000<br /> Direct marketing top up fee of £20</p> <p><strong>Source: ICO</strong></p> <p>These charges give a greater clue for the need for a DPO than any other criteria. 10,000 records of personal data within your company is considered the benchmark for lower fees, so this is probably the clearest indicator of considered values of large scale processing we have seen so far. The regulation makes clear that anyone undertaking large scale processing needs a DPO and there is no headcount stipulation, despite the mistaken 100 and 250 headcount numbers being bandied around the market.</p> <p>This will mean that all those clinging to the idea that their headcount being under 100 or 250 is a get out clause are going to come unstuck when the ICO comes knocking and wants to see your DPO. 10,000 records is not very much. Many people within hedge fund and private equity funds will have 2-3,000 email addresses of people just in their own files? Even in a smaller hedge fund or private equity firm with only 4 or 5 people, that threshold will be breached. It’s important to remember that email addresses with names on them owned by companies <em>are</em> personal data; for example, my email address - <a href="https://c/Users/Greg%20Winterton/Desktop/iainbf@eyestormadvisors.com">iainbf@eyestormadvisors.com</a> - is, although something like <a href="mailto:sales@eyestomadvisors.com">info@eyestormadvisors.com</a> is not. Just check your inbox to realise the size and scale of the problem. </p> <p>A much better way to think about whether you should appoint a DPO is to ask yourself ‘how can I gain an advantage from having one?’ Practically, hedge funds and private equity firms should be thinking about how to use DPO’s effectively and hire one, especially if your industry is already regulated for control frameworks. The ICO (regulator in the UK) has been saying for over a year that this person is an important conduit between your business and the regulator. They also will need to be made aware of your intent to do new business, new projects, IT architecture changes (Privacy by design is a requirement for all systems).  The DPO is an effective tool to bind your control mechanisms together and they need to be a person who understands the complexities of your business.</p> <p><strong>Who to pick and how to use them effectively? </strong></p> <p>There are three clear requirements when considering whom to appoint as your DPO; they need to be qualified, independent and enabled to operate at an effective level. Qualified might seem obvious but their qualifications must include an understanding of your business model and process. So, hiring someone that knows IT software companies if you are an asset manager isn’t appropriate; you need someone who understands the complexities of your business. This should make for an interesting competition for resources.</p> <p>Enabling them to operate at an effective level means they need access to the power that controls your organisation.  That doesn’t necessarily mean being on the board, but they will have to have line of sight to it and their recommendations need to be discussed and monitored at this level. </p> <p>Independence is the hardest one to determine.  Can a junior member of staff really be independent in his decision-making reporting into the higher echelons of a company? This is probably one for the HR professionals to answer but to my mind, I think a junior member of staff will struggle, not least because they are also likely to be given other tasks that will be considered to take precedence; that means a lack of control.  So how about a board director? Even worse, as they already have a statutory responsibility to the shareholders, thus that would create a conflict. </p> <p>Many organisations have decided the appropriate person is legal counsel. This is probably as good a decision as any, as this means that any legal stipulations that need to be abided by will be covered (contracts will be correct, for example). But what about the operational capability? And technology constraints and undertakings?  We believe that a function such as DPO should be held by a Non-Executive Director or a function close to it, such as a Chief Control Officer, that can provide input at all levels.  The choice for business really comes down to an outsourced DPO (NED like) or some form of officer for control internally.  Then make sure that they are free to challenge and to go where needed.</p> <p><em>Iain Bonner-Fomes is the CEO of <strong><a href="https://www.eyestormadvisors.com/">Eyestorm Advisors</a></strong></em></p></div> <!-- END OUTPUT from 'themes/gavias_vinor/templates/fields/field.html.twig' --> <drupal-render-placeholder callback="flag.link_builder:build" arguments="0=node&amp;1=1504&amp;2=bookmark" token="eZya1PkJN_71CufgLPlvpElxcbE8SkOydBmu7444iLw"></drupal-render-placeholder> <!-- THEME DEBUG --> <!-- THEME HOOK: 'field' --> <!-- FILE NAME SUGGESTIONS: * field--node--field-author--features.html.twig * field--node--field-author.html.twig * field--node--features.html.twig x field--field-author.html.twig * field--entity-reference.html.twig * field.html.twig --> <!-- BEGIN OUTPUT from 'themes/gavias_vinor/templates/fields/field--field-author.html.twig' --> <a href="/author/iain-bonner-fomes" hreflang="en">Iain Bonner-Fomes</a> <!-- END OUTPUT from 'themes/gavias_vinor/templates/fields/field--field-author.html.twig' --> <!-- THEME DEBUG --> <!-- THEME HOOK: 'field' --> <!-- FILE NAME SUGGESTIONS: * field--node--field-content-role--features.html.twig * field--node--field-content-role.html.twig * field--node--features.html.twig * field--field-content-role.html.twig * field--list-string.html.twig x field.html.twig --> <!-- BEGIN OUTPUT from 'themes/gavias_vinor/templates/fields/field.html.twig' --> <div class="field field--name-field-content-role field--type-list-string field--label-above"> <div class="field__label">Content role</div> <div class="field__item">AlphaWeek Basic</div> </div> <!-- END OUTPUT from 'themes/gavias_vinor/templates/fields/field.html.twig' --> Mon, 02 Apr 2018 11:37:41 +0000 AlphaWeek Staff 1504 at https://alpha-week.com