Guernsey: GDPR And Investment Funds

Last Updated: 19 February 2018
Article by Gareth Morgan

Most Read Contributor in Guernsey, August 2018

In the ninth in a series of regulatory columns in Compliance Matters by experts in Guernsey's legal sector, Collas Crill Senior Associate in the Corporate and Commercial team, Gareth Morgan, discusses how the EU General Data Protection Regulation (GDPR) will affect investment fund structures.

GDPR is the current office 'crusade du jour' in many a financial, legal or investment management firm here in Guernsey. The principal tenets of the GDPR will be effective in many offshore jurisdictions via the extra-territorial effect of the regulation itself. In Guernsey, the Data Protection (Bailiwick of Guernsey) Law, 2017 will match the essential safeguards of personal data as set out in the GDPR, so that Guernsey maintains its current status as an 'adequate' jurisdiction, internationally.

The GDPR will affect all firms dealing with the personal data of EU citizens. While we may profess to understand its aims (stronger protections for personal data across the EU and those jurisdictions dealing with the EU), putting it into practice will require some thought when it comes to revising service provider's processes and procedures. Particular markets will face unique challenges in terms of compliance with the GDPR and the DP Law; this article takes a brief look at the investment funds sector.

Data Protection Principles

The DP Law will revise the fundamental principles of data protection, which are in line with the GDPR, namely that data is required to be processed:

  • Lawfully, fairly and transparently
  • In accordance with specified, explicit and legitimate purposes
  • Only to the minimum extent necessary
  • Accurately
  • Stored no longer than is necessary for its purpose
  • With integrity and confidentiality
  • With accountability (by the controller/processor)

So what does this mean for a run-of-the-mill investment fund structure? Investment funds can be complex animals, so it is not always immediately obvious which persons, companies, service providers, etc, might be engaged in the controlling or processing of personal data for the purposes of GDPR and the DP Law and indeed what personal data they may hold or need to hold.

When an investor applies to subscribe for an investment in a fund, they will typically be required to provide their name, date of birth, postal address (and proof thereof), payment details and tax residency (in accordance with established anti-money laundering and "know your client" policies in place from time to time).

This is a relatively short list of requirements (painful as it may be to have to deal with at times), but consider what this involves in terms of handing over personal data: photo identification, utility bills with personal addresses, disclosure of source(s) of wealth/funds, employment details, dependents, investment profile information and more.

This is sensitive data that must be respected by the party or parties collecting it. And it does not necessarily stop at investor data: an investment manager set up alongside a fund will have obligations under GDPR and the DP Law with regard to personal data on the investment manager's employees.

Who are the data controllers/processors in an investment fund context?

Investment funds usually operate under the supervision of a board of directors, who will often delegate certain roles and powers to an investment manager (unless the fund is self-managed). In the context of data protection legislation, the investment manager, the fund itself and the relevant administrator could likely be construed as 'data controllers'.

Additionally, either the fund board or the investment manager will appoint a range of other service providers depending on the type of fund and its needs. For a single investment structure you may have, in addition to an investment manager, a transfer agent, distributor, custodian and a company secretary.

Such service providers would generally be considered to be 'data processors'. Some of those service providers may well outsource certain functions to subsidiaries or third-party agents, further widening the net of potential data processors.

An investor will invariably provide some or all of the information discussed above to one or more of these service providers, either in order to abide by the contractual obligations of investment into the fund (which are usually set out in the information memoranda and subscription documents), or to comply with the 'know your customer' and anti-money laundering policies and procedures of the relevant service providers.

It is also likely that such service provider will need to share investor data between themselves to satisfy their respective roles within the structure. This personal data will be processed and stored by these service providers for their own purposes and on behalf of the fund.

Coming back to the fund itself, the board of directors will of course need to be comfortable that, at each level where data is controlled, processed, stored etc, there are sufficient safeguards and processes in place for the proper governance and protection of the personal data of investors.

As a result, broad and permissive delegation powers often found in investment management and administration agreements will need to be made subject to (among other things) the delegate's ability to demonstrate effective compliance with the GDPR and the DP Law.

What can or should be processed?

With regard to the type and substance of the data held or to be held at each level in a fund, the relevant key principle from the DP Law is that the data should be:

"adequate, relevant and limited to what is necessary for the purposes for which it is processed".

This needs to be considered carefully on a service-by-service basis. When it comes to investor information what is "necessary" for, say, an administrator, might not be justifiably necessary for a distributor or an investment advisor, so what information can be passed between such entities becomes less clear.

Service providers will need to be able to demonstrate clear, affirmative action by the 'data subject' (i.e. the investor) that they have freely consented to the processing of their personal data.

A general indication of consent from the investor set out in a subscription form will not be sufficient (the consent must be clear and specific) and cannot be used as a blanket permission to control a person's data.

As consent cannot be withdrawn, it should not be obtained where the data controller/processor has a 'specific, explicit and legitimate purpose' in collecting and processing the data, such as for compliance with anti-money laundering legislation. Many standard form fund subscription agreements will as a result need a significant upgrade in this area to account for the specificity required when it comes to investor consent and information rights.

Service providers classed as data processors (these could take the form of agents, sub-custodians and investment advisors) will be directly liable for their activities relating to the processing of personal data.

They will no longer be able to pass on responsibility to the relevant data controller. Further, the precise remit of the data processor with regard to processing investor data will need to be set out in clear instructions from the data controller in the relevant service contract.

Additionally, data subjects must be informed of their rights under the DP Law and GDPR and how to exercise them. A logical place for this disclosure will be in the fund's information documents (scheme particulars, prospectus, etc). given this is the prime source of information on a fund from an investor perspective.

Who is responsible?

As mentioned above, data controllers and data processors have direct liability for their activities regarding personal data, with their own responsibilities for implementing appropriate safeguards. However, the board of a fund which has appointed these service providers should maintain appropriate oversight and get comfortable that safeguards are in place at every level.

The penalties for breaching the DP Law are more significant than under the existing data protection regime, with fines of up to £300,000 or 10% of global annual turnover (up to a limit of £10 million) possible for breaches of the fundamental principles established under the DP Law.

That being said, the board of a fund will invariably rely upon their administrator for the bulk of their data processing, particularly as it would be part and parcel of the administrator's on-boarding process for investors. With this in mind, administrators may well find themselves under particular scrutiny when pitching for fund business; a service provider who can demonstrate the ability and infrastructure to comply with the GDPR in an efficient and cost-effective manner is going to have a competitive advantage.

A data revolution in the funds industry?

Data is fast-becoming on of the most prevalent, and valuable, commodities on the planet. As regulation evolves, so must the market. When considering the impact of GDPR and related legislation on funds, the directors of said funds, as well as each service provider, will need to assess their own obligations and every player needs to understand its responsibilities.

The being said, the GDPR and DP Law have, in effect, tinkered with an established regime to make it tighter, more transparent and fairer for data subjects. But the basic framework, with which investment funds and service providers have all been complying for many years, is still there.

So a revolution this is not, and provided the players involved commit to the early adoption of sensible procedures and documentation to ensure investor data is appropriately used and safeguarded, it can be business as usual.

An original version of this article was first published in Compliance Matters, January 2018.

For more information about Guernsey's finance industry please visit www.weareguernsey.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
GuernseyFinance
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
GuernseyFinance
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions