How to protect your business and your clients’ data: spotlight on the latest rules in force

A major data leak targeted an external asset manager (EAM) last September. Hundreds of clients had their data stolen and published on the darknet. Was it a disgruntled employee? A major security breach? No, the leak actually originated from the database of the EAM’s former service provider. Hence the importance of conducting greater due diligence when choosing service providers.

	Laurent Pellet Limited Partner, Global Head of EAM,                                          Banque Lombard Odier & Co Ltd.
	In collaboration with Philipp Fischer Partner, Oberson Abels SA

In addition, new data protection rules that came into force last year have increased companies’ obligations, including those in the financial sector. These include the revised version of the Federal Data Protection Act (DPA) and the General Data Protection Regulation (GDPR).

They require EAMs to take a more rigorous and proactive approach to personal data management, with increased transparency and security. These requirements have a direct impact on EAMs in Switzerland, whose relationship with clients is based above all on trust and confidentiality.

Data protection is therefore all the more crucial for this industry, and represents both a challenge and an opportunity to strengthen the relationship of trust with clients within a more protective legal framework.

Transparency and increased information: what can be done?

EAMs must provide their clients with detailed information on the purposes and methods behind collecting and processing their personal data. This means drawing up a clear and accessible privacy notice. The duty to inform applies from the moment the data is collected, with particular attention being paid to situations in which personal data is transferred to third parties, in particular where cloud service providers are used.

Data security and risk management: strict requirements

The new data protection rules contain strict requirements in terms of information security: EAMs must put in place internal procedures to identify and secure the data they process. Similarly, they must implement measures to protect against data leaks, with an obligation to rapidly alert the authorities in the event of a breach.

What's more, if data processing is likely to give rise to particularly significant risks for data subjects (e.g. clients), EAMs must assess these in a structured and documented way, and then reduce them if necessary, by means of a personal data protection impact assessment (PDPIA).

These requirements are all the more crucial given that GDPR (and its severe penalties) may also, under certain conditions, apply to Swiss companies offering services to EU residents.

Right to be forgotten and data rectification: processes to be put in place

Clients, as data subjects, now have more extensive rights, such as the right to access information about themselves, to request that it be deleted (the right to be forgotten) or to rectify inaccurate data, which requires internal processes to be put in place to respond quickly to these requests.

For EAMs, these new rules represent a twofold challenge: on the one hand, maintaining customer confidence by ensuring rigorous and transparent data management; on the other, guaranteeing compliance to avoid sanctions and reputational risk.

To comply with the new requirements, EAMs need to adapt their data management systems, internal rules and practices, and train their teams in order to anticipate risks and meet clients’ growing expectations in terms of data protection.

In this context, the first step is to take stock of current practices by comparing them with the requirements of the new rules, and then to identify and prioritise the necessary corrective actions, focusing on the points that are least compliant or most likely to give rise to legal or reputational risks (risk-based approach).

Biography

Laurent Pellet joined the Bank in 2017 and took over responsibility for the External Asset Managers department for the Group in 2018. After starting out at Ferrier Lullin & Cie SA, he held various positions at Bank Julius Baer for more than 20 years. He holds a Diploma in Quantitative Wealth Management from HEC Geneva, a Diploma in Digital Finance Law from the University of Geneva and the CWMA.