Fund managers are now rushing to comply with the EU General Data Protection Regulation (GDPR), which will apply from 25 May 2018. While data protection regulation is not a new concept in the EU, the GDPR significantly expands the rules on using personal data and increases the risks of processing personal data compared to existing legislation. Even fund managers with little or no footprint in the EU may be affected. Failing to comply with the new rules can have serious reputational and financial consequences for a business, including fines for data breaches of up to the maximum of either Euro 20 million or 4% of global turnover.
Who does the GDPR impact?
A business that determines the purposes and means of the processing of personal data is called a 'data controller', whilst a business processing personal data on behalf of a data controller, is called a 'data processor'. Both data controllers and data processors are subject to a range of obligations under GDPR. A data processor may also act as a data controller in respect of certain activities where it does determine the purposes and the means of processing, for example, where it has its own regulatory obligations which require it to carry out its own anti-money laundering checks.
Depending on the structure of a fund, it is likely that the data controller will be the general partner, manager and/or administrator. The general partner or manager will in all likelihood have to appoint third party data processors which may include an administrator, payroll firm and/or other delegates that receive third party personal data.
Whose personal data?
A fund manager will process the personal data of:
- its investors that are individuals;
- its own employees and officers;
- in the case of its investors organised as entities, the personal data of the directors, members, shareholders and other beneficial owners of that investor (as required for know-your-client (KYC) and related anti-money laundering (AML) purposes).
What kind of personal data and where is it found?
Personal data may include amongst others name, address, date of birth, contact information and bank account information. Personal data may be found in subscription documentation, KYC/AML information, side letters, employment agreements and carried interest documentation.
We are a non-EU based fund manager so does it impact us?
A key change brought in by the GDPR is the expansion of its territorial scope. An EU affiliate of a non-EU based fund manager would be directly subject to the GDPR. But even managers with no EU presence may trigger GDPR compliance obligations: if a non-EU based fund manager either (i) offers goods or services (such as fund interests) to individuals in the EU, or (ii) monitors the behaviour of individuals within the EU, then the non-EU fund manager may be subject to the GDPR.
What about Brexit?
Brexit is unlikely to affect GDPR compliance; the current government has confirmed that after Brexit the plan is to convert the GDPR into UK domestic law.
What should we do to comply with the GDPR?
- Develop firm-wide awareness of the legislation and how it affects the business;
- Audit and review existing systems, procedures and contracts and conduct an information audit, using a risk-based approach, by starting with the areas of the business that hold the highest concentration of personal data. One challenge is that administrators may also outsource data processing activities, and fund managers will need to understand exactly where data is held and processed;
- Ensure that you have appropriate technical and organisational measures in place to protect personal data;
- Update contracts with third party service providers;
- Ensure that you have appropriate mechanisms in place to deal with a "subject access request";
- Update privacy policies used on websites;
- Make sure the right procedures are in place to be able to report a security breach within 72 hours of becoming aware of it.