VP SECURITIES is on track with GDPR compliance

The EU’s new General Data Protection Regulation (GDPR), which takes effect on 25 May 2018, gives private individuals a new set of "digital rights" at a time when the economic value of personal data is increasing. The right to know about your own personal data, and the right to be forgotten, are among the key rights that data controlling companies such as VP must support, going forward. In GDPR’s terminology, VP is a data controller in its core business of handling securities in the VP system. VP is on track with the necessary, but not extensive, changes to its existing procedures.

“Compliance with GDPR does not disrupt our current business processes,” says COO Morten Kierkegaard of VP. “We will not need to change the interfaces to our customers. Customer agreements will see some minor changes, and we will build a digital facility for individuals to enquire about their own personal data. We will also make a set of other changes, but these are minor and manageable, and we will be compliant before 25 May.”

The new rights and obligations set out in GDPR interact with VP’s obligations set out in the CSD Regulation (CSDR). CSDR imposes a duty on VP to hold CSD data for a period of ten years. As such, during this period of time VP will not be permitted to delete data that is part of its core business, and while private individuals do not have the right to be forgotten, they still maintain the right to be informed about their own data. After these ten years, VP will automatically delete the personal data.

VP will also initiate dialogue with suppliers to ensure their compliance with GDPR before it enters into force. During the spring of 2018, VP will inform partners and market participants in greater detail about the necessary adjustments.