The General Data Protection Regulation1 ("GDPR") will become law across the EU on 25 May 2018 and substantially updates the current data protection regime. It replaces the current rules governing the collection, storage and processing of personal data contained in the Data Protection Acts 1988 to 2003 (the "Acts"). Firms need to make sure they are compliant by that date.
Key Definitions in GDPR
Data subject means an identified or identifiable natural person. In a funds context this is most likely to be investors or officers and employees of the management company.
Personal data means any information relating to a data subject, who can be identified, directly or indirectly. For example, a share register, associated Know Your Client documentation, data and information on directors and employees of a management company.
Data controller means any natural or legal person, which, alone or jointly with others, determine the purposes and means of the processing of personal data such as a management company or fund umbrella.
Data processor means a natural or legal person who processes personal data on behalf of the data controller such as a fund administrator, distributor and/or other delegates that receive personal data.
Key Changes - Data Controllers
Consent
There must be clear and demonstrable affirmative action by the data
subject to grant consent for their data to be used. Consent must be
granular if being given for more than one purpose; ticking a box
granting general permission will no longer be allowed. This will
require a review of fund subscription documents to ensure consents
are sufficiently granular and only used where "legitimate
interest" will not apply. Legitimate interest arises where
processing is necessary for the purposes of the legitimate
interests of the data controller or by a third party, for example,
collecting personal data for anti-money laundering (subject to
overriding interests or fundamental rights and freedoms of the data
subject which require protection of personal data).
Information
Data subjects must be informed of all their rights and how to
exercise them. This can be achieved through enhanced disclosures in
the prospectus, subscription documents and the adoption of a data
protection policy ("DP Policy") at management company and
umbrella level.
Appointing data processors
Strict new adequacy assessment rules must be followed and
prescribed clauses included in all contracts. Administration
agreements will need to be reviewed and updated.
Data breaches
New reporting rules and timelines will apply. Management companies
need to have procedures and reporting mechanisms in place which
should be included in the DP Policy.
Extra-territoriality
The GDPR will apply to companies outside the EU if they are
providing services to EU data subjects or data controllers. Where
administrators or other delegates outsource outside the EU, they
must ensure GDPR will also apply to such delegates.
New rights
Data subjects will get new rights such as the right to erasure and
the right to data portability (which allows a data subject to
obtain and reuse their personal data in certain circumstances).
Risk basis
Data controllers must minimise risks by ensuring any new systems
are designed to protect privacy and by reviewing privacy impact
assessments carried out by their processor.
Key Changes - Data Processors
Direct liability
Data processors will be directly liable for their processing
activity, rather than the data controller. Administrators and other
delegates will also have direct responsibility for how they process
personal data.
Instructions
Data processors will only be able to process personal data strictly
in accordance with the data controller's instructions set out
in a contract. Management companies, administrators and other
delegates should revisit relevant agreements to provide clear
instructions that cover the use of any personal data.
Sub-processors
These cannot be engaged in future before identifying them to, and
getting the consent of, the data controller. Any existing
outsourcing by delegates and administrators should be reviewed to
ensure consent is in place and a process developed to ensure any
new relationships are agreed with the management company.
Security
Data processors will be directly obliged to implement appropriate
technical and organisational safeguards. Oversight of
administrators should incorporate checks that appropriate
safeguards are in place.
Data transfers
There are stronger restrictions on transferring personal data to
countries outside of the EU. It is recommended that data
controllers carry out a mapping exercise to understand the types,
purpose and location of data collected: any transfers outside the
EU should be highlighted and the impact of Brexit should also be
considered for any UK delegates or data processed in or transferred
to the UK (as the UK will no longer be an EU Member State).
Records
Data processors will have to maintain records and other information
for each data controller they work on behalf of for a certain
period of time. The administrators and other delegates' record
retention policies should be checked.
Data Protection Commissioner registration
This is no longer required but organisations with more than 250
employees must keep prescribed, detailed documentation recording
their processing activities.
Your Status
AIFMs and UCITS management companies and fund umbrellas are likely to be data controllers under the GDPR; this would include self-managed funds.
Fund administrators, distributors, investment managers and depositaries are likely to be regarded as data processors under the GDPR.
The personal data held will generally be that of natural investors, or officers and employees of corporate entities.
Enforcement
Breaches of the GDPR can result in fines of up to €20 million
or 4% of a firm's global turnover, whichever is higher.
Recommended actions
The following actions should be taken to ensure you are compliant:
(a) Information audit and data mapping
You need to ask the five "Ws" – whose is it, what is it, where is it, why am I processing it, and when did I get it. You must be able to demonstrate that your activity is compliant.
(b) Consent
Consider how you gain consent for the use of personal data in all
your contracts to minimise your risk and see what can be
re-categorised as "legitimate interest" processing.
(c) Policies and procedures
These will need to be updated to include the new rights and
information to which a data subject is entitled.
(d) Create awareness
GPDR straddles many areas of a business – e.g. HR, Marketing,
IT and so on. Speak with key stakeholders about current
practice and see what changes are necessary.
(e) Employment contracts
These are subject to the GDPR and will need to be revised,
particularly in respect of consent.
(f) Contracts with delegates
Agreements with third parties for the processing of personal data
(e.g. administration agreements) will have to be revised so that
they include the new compulsory clauses.
(g) Subject access requests
Create or refine your DP Policy to cope with the new 30 day
turnaround limit.
(h) Education
Run training courses for staff handling personal data which
explains their GDPR obligations.
How can we help?
Maples and Calder have created a GDPR update package that will help ensure fund management company compliance encompassing:
- An information audit and data mapping exercise;
- Updates to disclosures in the prospectus;
- Updates to the administration agreement;
- Revision of consents in subscription documents; and
- Policies and procedures.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.