eVestment is addressing GDPR as part of the Nasdaq family of companies. As a global organization, Nasdaq understands the special requirements related to privacy and information security when processing personal data. Accordingly, Nasdaq accounts for privacy laws and regulations that apply to the different geographies in which we operate, including the GDPR.
Under the direction of Nasdaq’s GDPR Project Steering Committee, we have devoted substantial time, funding and executive focus to prepare for the requirements of the GDPR and establish a robust ongoing privacy compliance program that will be able to respond to evolution in law and guidance as well as address changes within our business or individual incidents that may occur.
Below is a summary of key information regarding GDPR and eVestment’s processing of personal data:
- Data Processing Assessment and Analysis: We conducted data mapping of our business systems and processes across our enterprise. Where we identified personal data processing subject to GDPR, we assessed the basis for processing and evaluated that appropriate technological and organizational measures are in place to protect the data.
- Client Data Processing Addendums: We have a GDPR-based Data Processing Addendum (“DPA”) available to our clients. To request a Client DPA, please contact firstname.lastname@example.org or your eVestment representative.
- Vendor Diligence and Data Processing Addendums: We perform comprehensive due diligence on our vendors and require GDPR-based Data Processing Addendums from our vendors that process personal data.
- Data Contributors: Many firms voluntarily provide data to eVestment for inclusion in our databases and other data products pursuant to a data input agreement. This data may include personal data, which we process in accordance with the contributing firm’s instructions. For further information, please see the Data Contributor FAQs available at www.evestment.com/gdpr/data-contributors/
- Product Development: Our updated product design and development process applies privacy-by-design and GDPR principles, including data minimization, and a process for conducting a data protection impact assessment if required.
- Mechanisms for Addressing Individual Requests: We have developed processes for addressing data subject requests where we are a data controller and for referring data subject requests to the controller where we serve as a processor. Any data subject may contact us at email@example.com to exercise his/her rights.
- Data Breach Response: We have incorporated GDPR into our overall corporate data breach response program and have conducted scenario-based training to prepare for potential situations that may require notification under GDPR.
- Training: We have conducted awareness and function-specific training events for our employees and continue to do so.