Funds and asset servicers need action plan to manage GDPR
The EU General Data Protection Regulation (GDPR) comes into effect on 25 May. The aim of GDPR is to modernise the existing EU data protection framework to ensure consistent protection of personal information by businesses.
GDPR’s obligations relate to the ‘processing’ of ‘personal data’ by a ‘controller’ or ‘processor’. A fund will be a data controller and a fund administrator will typically be a processor of investor personal data, while the status of an investment manager will depend on the scope of its control over the investor data. It is thus quite likely that there may be more than one controller of a particular set of personal data, each with different purposes for processing.
For the parties within an investment fund structure to accurately determine who are controllers and processors of investor personal data, it is important for them to conduct a factual data mapping exercise. This aims to ascertain what personal data they have, why it has been obtained, how it is processed, where it is transferred and who is responsible for deciding the purpose and means of processing such data.
USE OF DATA
Under GDPR it is only permissible to process personal data where a prescribed legal basis applies. Such legal bases include, amongst others, obtaining consent from individual data subjects, compliance with a legal obligation of a fund or because it is necessary for a fund’s ‘legitimate interests’.
There are nuances to the various legal bases, which funds and their advisers need to consider. For example, a fund’s compliance with a legal obligation must be a legal obligation arising from the EU or a member state law. As such, a non-EU fund entity seeking to comply with non-EU anti-money laundering requirements will, in those circumstances, need to rely on another ground to legitimise its processing.
Fund entities, managers and their legal advisors need to identify the specific processing/uses of investor personal data and map it to the relevant legal basis. Firms will then need to update fund data privacy notices to ensure they set out the legal basis for processing personal data and contain all other requisite GDPR disclosures. Given that funds and managers may both be controllers in respect of the same set, or subset, of personal data but with different processing purposes, funds and managers should send separate data privacy notices to investors.
Managers based in the EU and managing EU-domiciled funds will be fully subject to GDPR in respect of all personal data they process whether or not it relates to an EU individual. Non-EU funds managed by EU managers will also be subject to GDPR.
In addition, GDPR will apply to non-EU managers managing non-EU funds in certain situations, most commonly if the manager has an affiliate or branch in the EU, or if the fund’s interests or services of the manager are offered to EU investors. The interpretation of what constitutes an ‘offering’ under GDPR is very broad and may apply where there are indications EU investors will be accepted by a fund.
ENHANCED DATA RIGHTS
Since funds and their service providers receive and process investor personal data all applicable agreements between them need to be reviewed for compliance with GDPR provisions.
It is crucial to remember that data subjects are bestowed enhanced rights under GDPR. Such rights include the right of access to personal data being processed, the right to be forgotten as well as the right to data portability and to object to processing of data in certain circumstances.
Since fund entities will not be holding investor personal data themselves, they must ensure that their contracts with the service providers holding the personal data adequately address these rights. They also need to be satisfied that their service providers, through their data processing arrangements, can handle any such requests from data subjects.
Funds and their service providers need to ensure GDPR compliance. Essential early steps would include data mapping, reviewing security measures, updating data protection policies/privacy notices and amending service provider agreements. We are encouraging all stakeholders in the alternative asset sector to act now to implement the changes necessary to ensure GDPR compliance by 25 May.
Published in HFM Week, 12-18 April 2018 edition