General Data Protection Regulation (GDPR)
On May 25, 2018 this new regulation was implemented by the European Union, codifying the legal rights of EU residents relating to the maintenance of their personal data privacy – including on the books of recordkeepers outside the EU. GDPR has effectively laid down the entitlements of “Data Subjects” (shareholders), and the obligations of “Data Controllers” (issuers) and “Data Processors” (transfer agents). Violating these obligations will subject the latter two groups to huge, and we mean huge, financial penalties.
The crux of GDPR is allowing EU residents to know who has their data, how the data holder can be contacted, exactly what the data is, how the data is being used, how it is being protected – and the individual can even demand that certain information be expunged from the database, short of deleting data the Controller and Processor need to perform their legal duties, like the individual’s address. The individual can require the Controller and Processor to correct data erroneously maintained. The individual can limit the extent of his data being processed, where possible. And he can instruct that his data be transported elsewhere, again within reason.
The immediate onus on U.S. stock transfer agents was to help issuers deliver a required “Privacy Notice” to EU shareholders informing them of their GDPR rights, including appropriate contact information for questions or complaints. While technically an issuer responsibility, we understand transfer agents either sent the notices directly at the issuer’s request, or sent the shareholder contact information to the issuer for it to mail them. Another result of GDPR for U.S. transfer agents was having to add a rider to their service agreement with applicable issuers (and with the agents’ third party vendors), ensuring the agent would fully comply with GDPR. We gather this has largely been done.
The final question we had for the transfer agents we randomly contacted was “Are you able to meet GDPR requirements already, including handle any inquiry from an EU shareholder, and are the data protections you have in place stringent enough to satisfy EU authorities?” The answer we received unanimously was yes.
Leaving a final question for the reader and ourselves: “Is GDPR a nuisance exercise for recordkeepers, or the long overdue enforcement of data protections all individuals should have?” We think it is the latter, and believe something like GDPR will soon happen in the U.S. as well. Indeed, if it doesn’t, shame on us.