CACEIS is preparing for the upcoming implementation of the GDPR, a regulation that concerns the protection of the personal data of its clients and staff members; this project is part of a broader framework, which includes the launch of the Code of Ethics for all entities within Crédit Agricole Group.
The use of personal data constitutes a major societal challenge and is subject to an increasingly strict regulatory framework. The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) of 27th April 2016 will enter into force on 25th May 2018 and seeks to harmonise and strengthen European legislation on the storage, processing and transparency of personal data.
The GDPR will apply to all companies that collect, handle and store personal data that, when processed, may enable a person to be directly or indirectly identified.
It will not only concern all companies established on EU territory, but also companies located outside the EU and which offer goods and services or collect data relating to European citizens. The same applies for technology partners and software providers, which must also comply with the requirements of the GDPR, even if they operate in a non-member state. Furthermore, processors may be held liable in the event of an incident.
The regulation clarifies that personal data is “any information concerning an identified or identifiable natural person”, whether they can be identified or are identifiable directly (e.g. by their name) or indirectly (by their telephone number, their login details for an application, etc., or even behavioural data if it is associated with an identity).
The GDPR will thus introduce stricter requirements concerning the processing of client data conducted by all financial market players, in a context of increasingly frequent cybersecurity challenges.
As is the case for all companies within the European Union, all departments at CACEIS will be affected, namely governance, HR, communication, legal, information security and IT. The rights of individuals are enhanced through the provision of new features for clients: improvements to advance notification and individual consent; the possibility for individuals to ask what personal information is being processed, where it is, and for what purpose it is being processed at any time, as well as to obtain it for reuse (the right to data portability); the right to be forgotten, etc.
The regulation also provides for greater traceability in processes and in IT systems, and greater security through the implementation of enhanced detection and transparency measures for incidents. In the event of a data breach, the supervisory authorities and the persons affected by the incident must be notified within very short timeframes.
In addition, the regulation provides for the application of new secrecy standards to the processing of client and staff data (preventive measures, end-to-end security, etc.) with the compulsory record-keeping of personal data and processing. It must be possible to provide such records at any time in the event of inspection by the competent authorities.
Finally, in terms of governance, the GDPR creates the role of Data Protection Officer (DPO). This officer, whom all companies must appoint, is responsible for ensuring the proper application of rules relating to the collection and processing of personal data, both at a business level and internally.
CACEIS is preparing to ensure compliance with this new regulation by May 2018. In this respect, we will keep our clients regularly updated, particularly regarding changes to the contractual framework.
Alongside efforts to ensure compliance with the GDPR, CACEIS is adopting a Code of Ethics shared by all Crédit Agricole Group entities. This Code expresses our values, which include data protection, our culture and our business ethics.
The Code is a reference document containing the principles of action and behaviour to be followed on a daily basis in CACEIS’s relationships with its clients, staff members and providers, and on the basis of which all other charters, codes of conduct and internal regulations within the Group will be developed or adapted.
It reflects 12 fundamental principles, some of them place a particular emphasis on our clients. CACEIS’s dedication to data protection can be broken down into the following themes:
Data security remains our priority and is central to all of our actions. The solutions we use to store or process our clients’ data are subject to rigorous validation and certification procedures.
Usefulness and Loyalty
We are committed to using data in the interests of our clients in order to provide them with tailored advice and products, enhanced quality of service and everything they need to help them make the best decisions.
We are committed to acting ethically and responsibly when it comes to personal data; such data will only be disclosed to third parties when required pursuant to regulatory obligations or for services provided by actors that have been subject to CACEIS’ rigorous validation and certification procedures.
Transparency and Teaching
We are committed to explaining to our clients, in a clear, concise and transparent manner, how their data is used, and to informing them of their rights in this area and how to exercise them.
Giving clients control
We are committed to putting our clients in charge of their data and how it is used.
This Code is available on our Corporate Social Responsibility page. It is yet another clear expression of CACEIS’s resolve to position itself as a genuine partner to its clients and to maintain its high level of trust.