Is your Investor Relations Website GDPR compliant? 5 tips to follow for GDPR compliance - MZ Group
  • IPO & Empresas Listadas
  • Fundos e Gestoras
  • Empresas Privadas
Back

Is your Investor Relations Website GDPR compliant? 5 tips to follow for GDPR compliance

The impact of GDPR on investor relations

 

On May 25th, 2018, the European Union General Data Protection Regulation (“GDPR”) came into force, establishing a new framework for handling and protecting personal data. The GDPR is the most significant data protection legislation to date, further strengthening individuals’ data privacy rights and introducing a uniform data protection law across Europe.

The regulation applies to the processing of personal data and covers all organizations established in the EU. It also applies to organizations outside the EU that monitor the behavior of EU residents or offer goods or services within the EU. The terms “processing” and “personal data” are each defined broadly – “processing” consists of any operation or set of operations performed on personal data, whether automated or not; and “personal data” consists of any information of any format relating to an identified or identifiable natural person.

Under the GDPR, individuals are entitled to:

  • Access their personal data;
  • Correct errors in their personal data;
  • Wipe their personal data;
  • Object to the processing of their personal data; and
  • Export their personal data.

 

Aggregate value of GDPR fines imposed in Europe between May 2018 and January 2021, by country (in millions of Euros)


According to data presented by Atlas VPN, GDPR fines hit over €1 billion in 2021 – compared to €171 million in 2020.

A total of 412 penalties were issued last year, with companies like Amazon and WhatsApp paying the most significant penalties for violating GDPR laws.

Since 2018, when the EU implemented the GDPR law, there’s been steady increases each year in the total penalties issued, with a total of €436k in its inaugural year. In 2019, the sum of total fines increased significantly to €72 million.

Actions to take on your IR website

Your IR website collects personally identifiable information from web visitors and shareholders, including names, email addresses, phone numbers, IP addresses, cookie data, and the content from the visitor’s web browser address bar.

If your shareholders or other users visiting your IR website are located within the European Union (EU), the new General Data Protection Regulation (GDPR) now governs how you collect, store, and use personally identifiable data of these individuals and anyone in the EU.

Fines for GDPR non-compliance may amount to €20,000,000, or up to 4% of a company’s revenue ­– whichever is greater. In the first 30 days under the GDPR, starting on May 25th, 2018, U.S. companies were sued for more than eight billion dollars. And various data protection authorities started to enforce the GDPR by conducting organizational surveys, rather than simply waiting for consumer complaints or data breaches to bring compliance failures to the regulators’ attention.

This checklist highlights the 5 most important steps you can take immediately to make sure your data processing remains compliant.

 

1. Write a clear and fair notice of privacy practices to be placed on your IR website

This notice is commonly labeled as a “privacy policy” in the U.S., but since a privacy policy would be more commonly considered an internal document, and the public-facing notice is targeted at the external audience, the notice of privacy practices is more appropriate.

Add information about the use of data, security, and confidentiality in the website document entitled “Terms of Use and Conditions”, including information regarding collected data; collection methods; specific purposes for the use of data; methods and duration of the use of data; identification of data controllers and their contact information; details of the shared use of data; responsibilities of data controllers and operators; and users’ rights regarding the treatment of their personal data pursuant to the GDPR. Additionally, provide explanation about risks and the option of denying or withdrawing consent at any time, as well as the potential inability to use one or more services if consent is denied.

You should avoid “legalese” and overly technical jargon in the privacy notice. Under the GDPR, this type of notice should be easy for your website visitors to browse through and understand.

2. Make sure you have valid consent for your data processing

Website visitors and shareholders must consent to the use of their data (such as the use of cookies) across data capture fields, especially for mailing lists, IR contact forms and marketing content.

Your website must include a notice about the use of cookies, which only appears in the first IP access to the website, for example:

The checkbox options of specific mailing lists (and other data capture fields) must be unchecked by default to make sure that the consent is explicit, as shown in the example below for mailing lists and IR information:

 

 

3. Appoint someone to be in charge of privacy and security compliance

If your organization employs 250 or more professionals, is a public authority or is engaged in regular and systematic monitoring of data subjects on a large scale, you should appoint a data protection officer (DPO). The DPO shall take full responsibility for data protection compliance and have the knowledge, support and authority to do so effectively.

But even if you are not required to appoint a DPO, you may benefit from having someone with explicit responsibility for data protection.

4. Make sure data is secure, both in transit and at rest.

The GDPR doesn’t provide a lot of new, specific security requirements, but your security policies and procedures are key parts of your GDPR program, so you should make sure that they are appropriate for all types of data you process.

Implement policies and processes for routine relationships with investors, in such a way that all reports with personal information are stored in a secure environment equipped with access control, Two-Factor Authentication, or 2FA, and audit of the access via user’s log, so that it is possible to identify any data leakage.

Make sure your IR website provider has a high-security level, where all data is stored with encryption so that only the company has access to your information.

Penetration testing (pen testing) is a great way to test your website for security, as it can act as an unwanted threat. A penetration test (pen test) lets you see how your current security system can protect you against cyberattacks. The main goal of the development team is to identify the greatest weaknesses, the most successful ways of attacking, and the possible amount of damage that could be caused.

According to Forbes, 2020 saw the highest number of data leaks and cyberattacks. According to the Global Data Risk Report, only 5% of corporate folders are properly protected. Also, about 78% of information security professionals believe that companies do not have security systems that are good enough to protect them from cyberattacks.

5. What is to be done in case of data leakage?

In case of data leakage, it is important to be transparent. Every company should have a Crisis Committee that is ready to provide a quick response and have a previously designed crisis plan, constantly monitoring the communication channels.

We reinforce that data leakage and other security incidents must not be hidden because in addition to being an inadvisable practice that poses risks to data owners, the GDPR requires that any likely adverse scenario that may cause harm be communicated to the national authority and to the damaged people.

Data protection shall be considered an important asset. Thus, in case of leakage, it is necessary to provide clarification to the data protection authorities on the level of technology protection and resources the company has used and, in particular, the impact that the data leakage may have had on the company’s image and future value.

 

about MZ

MZ is a global leader in investor relations solutions. Through innovative technology and exceptional customer service we empower our clients’ investor relations strategy. Our full suite of communications and intelligence solutions, including websites, webcasting, compliance filling, and intelligence empower our customers to be ahead of the market by providing them with all the tools and insights they need to make effective decisions and better engage with the market.

 

PH Zabisky

CEO, MZ

ph@mzgroup.com

Stay on top of what's happening in the market