The General Data Protection Regulation1 ("GDPR") will become law across the EU on 25 May 2018 and substantially updates the current data protection regime. It replaces the current rules governing the collection, storage and processing of personal data contained in the Data Protection Acts 1988 to 2003 (the "Acts"). Firms need to make sure they are compliant by that date.
Key Definitions in GDPR
Data subject means an identified or identifiable natural person. In a funds context this is most likely to be investors or officers and employees of the management company.
Personal data means any information relating to a data subject, who can be identified, directly or indirectly. For example, a share register, associated Know Your Client documentation, data and information on directors and employees of a management company.
Data controller means any natural or legal person, which, alone or jointly with others, determine the purposes and means of the processing of personal data such as a management company or fund umbrella.
Data processor means a natural or legal person who processes personal data on behalf of the data controller such as a fund administrator, distributor and/or other delegates that receive personal data.
Key Changes - Data Controllers
Consent There must be clear and demonstrable affirmative action by the data subject to grant consent for their data to be used. Consent must be granular if being given for more than one purpose; ticking a box granting general permission will no longer be allowed. This will require a review of fund subscription documents to ensure consents are sufficiently granular and only used where "legitimate interest" will not apply. Legitimate interest arises where processing is necessary for the purposes of the legitimate interests of the data controller or by a third party, for example, collecting personal data for anti-money laundering (subject to overriding interests or fundamental rights and freedoms of the data subject which require protection of personal data).
Information Data subjects must be informed of all their rights and how to exercise them. This can be achieved through enhanced disclosures in the prospectus, subscription documents and the adoption of a data protection policy ("DP Policy") at management company and umbrella level.
Appointing data processors Strict new adequacy assessment rules must be followed and prescribed clauses included in all contracts. Administration agreements will need to be reviewed and updated.
Data breaches New reporting rules and timelines will apply. Management companies need to have procedures and reporting mechanisms in place which should be included in the DP Policy.
Extra-territoriality The GDPR will apply to companies outside the EU if they are providing services to EU data subjects or data controllers. Where administrators or other delegates outsource outside the EU, they must ensure GDPR will also apply to such delegates.
New rights Data subjects will get new rights such as the right to erasure and the right to data portability (which allows a data subject to obtain and reuse their personal data in certain circumstances).
Risk basis Data controllers must minimise risks by ensuring any new systems are designed to protect privacy and by reviewing privacy impact assessments carried out by their processor.
Key Changes - Data Processors
Direct liability Data processors will be directly liable for their processing activity, rather than the data controller. Administrators and other delegates will also have direct responsibility for how they process personal data.
Instructions Data processors will only be able to process personal data strictly in accordance with the data controller's instructions set out in a contract. Management companies, administrators and other delegates should revisit relevant agreements to provide clear instructions that cover the use of any personal data.
Sub-processors These cannot be engaged in future before identifying them to, and getting the consent of, the data controller. Any existing outsourcing by delegates and administrators should be reviewed to ensure consent is in place and a process developed to ensure any new relationships are agreed with the management company.
Security Data processors will be directly obliged to implement appropriate technical and organisational safeguards. Oversight of administrators should incorporate checks that appropriate safeguards are in place.
Data transfers There are stronger restrictions on transferring personal data to countries outside of the EU. It is recommended that data controllers carry out a mapping exercise to understand the types, purpose and location of data collected: any transfers outside the EU should be highlighted and the impact of Brexit should also be considered for any UK delegates or data processed in or transferred to the UK (as the UK will no longer be an EU Member State).
Records Data processors will have to maintain records and other information for each data controller they work on behalf of for a certain period of time. The administrators and other delegates' record retention policies should be checked.
Data Protection Commissioner registration This is no longer required but organisations with more than 250 employees must keep prescribed, detailed documentation recording their processing activities.
AIFMs and UCITS management companies and fund umbrellas are likely to be data controllers under the GDPR; this would include self-managed funds.
Fund administrators, distributors, investment managers and depositaries are likely to be regarded as data processors under the GDPR.
The personal data held will generally be that of natural investors, or officers and employees of corporate entities.
Enforcement Breaches of the GDPR can result in fines of up to €20 million or 4% of a firm's global turnover, whichever is higher.
The following actions should be taken to ensure you are compliant:
(a) Information audit and data mapping
You need to ask the five "Ws" – whose is it, what is it, where is it, why am I processing it, and when did I get it. You must be able to demonstrate that your activity is compliant.
(b) Consent Consider how you gain consent for the use of personal data in all your contracts to minimise your risk and see what can be re-categorised as "legitimate interest" processing.
(c) Policies and procedures These will need to be updated to include the new rights and information to which a data subject is entitled.
(d) Create awareness GPDR straddles many areas of a business – e.g. HR, Marketing, IT and so on. Speak with key stakeholders about current practice and see what changes are necessary.
(e) Employment contracts These are subject to the GDPR and will need to be revised, particularly in respect of consent.
(f) Contracts with delegates Agreements with third parties for the processing of personal data (e.g. administration agreements) will have to be revised so that they include the new compulsory clauses.
(g) Subject access requests Create or refine your DP Policy to cope with the new 30 day turnaround limit.
(h) Education Run training courses for staff handling personal data which explains their GDPR obligations.