Investment Funds Update: The Funds Industry and the GDPR – Get Prepared
07 September 2017
In May 2018, the General Data Protection Regulation (GDPR) will come into force across the EU, marking the most significant overhaul of privacy and data protection legislation in more than 20 years.
With obligations set to become more onerous, funds, administrators, depositories and everything in between need to consider how they control and process personal data.
Scope of the GDPR
Significantly, the GDPR will have extra-territorial effect. This means that non-EU controllers and processors of personal data will be subject to the requirements of the GDPR where they either (i) offer goods or services to EU data subjects or (ii) monitor the behaviour of EU data subjects. One reprieve from the GDPR’s broadened scope is the concept of the “one-stop-shop”. This allows multinational organisations, with establishments in multiple Member States, to be regulated by a single, lead supervisory authority in instances of cross-border processing.
Mapping the data
Initially, funds should review and map all the personal data which they control or process. In particular, this exercise should identify how the data is held, why it is held, and for how long it is held. A fund will need to fully understand the various aspects of its data flows, including:
- in what capacity it processes the data
- the legal basis for this processing
- any cross-border transfers of data, and
- the extent of its compliance obligations.
Important considerations for funds
The following are a number of the issues that funds should consider in advance of GDPR going live:
- Consent, as a legal basis to process personal data, will become more difficult to obtain. Therefore, funds should review their consent mechanisms and may need to rely on alternative legal bases to legitimise their data processing. If consent is sought, it is important that the data subject’s consent is freely given, specific, informed and that there is an unambiguous indication of the data subject’s agreement by an affirmative action. Notably, it will also need to be as easy to revoke consent as it was to give. Consent will, therefore, need to be affirmative, granular and revocable.
- Funds must be able to demonstrate that they comply with data protection legislation. In short, if the relevant supervisory authority comes knocking on the door, the fund must have the ability to show how it complies with the GDPR. For example, this would involve producing documentation demonstrating proper and lawful compliance. Similarly, the principles of ‘privacy by design’ and ‘privacy by default’ require that data protection is integrated into a company’s operations.
- In line with the principle of transparency, the GDPR requires that individuals receive sufficient information about data processing activities. Data subjects, following a review of the fund’s prospectus or the subscription application form, should be able to understand the purposes for and legal basis upon which their personal data is being processed. Data subjects will need to be informed of legal bases for processing, the retention periods for specific data sets, and any mechanisms permitting transfers of data to countries outside the EEA.
- Data subjects will also have the right to the access, rectification, erasure, portability (i.e. the transfer of data in a structured, readable format), and restriction of their data.
Importantly, where the processing is based on the legitimate interests pre-condition, data subjects will now have the ability to object to the processing of their data at any time. Funds and administrators must review their systems and processes to ensure they can safeguard the rights of a data subject and comply with these requests.
- Currently, the contract between controllers and processors need only stipulate that the processors (i) act only on the controller’s instruction, and (ii) deploy appropriate security. A common example of a controller-processor relationship is fund administration services. Therefore, the GDPR increases the mandatory requirements of the agreements between funds and administrators. As it is unlikely that pre-existing data processing agreements address all the new requirements of the GDPR, fund managers, administrators, depositories and other service providers need to be ready to amend existing processing arrangements.
- Funds must also be aware of the scrutiny afforded to cross-border transfers of data and, therefore, should develop a deeper understanding of their data flows. While personal data can be transferred freely within the EEA, transfers to territories outside the EEA are only permissible where there are sufficient protections in place to protect the personal data or, where the country receiving the data is deemed to have adequate protections in place.
- The GDPR increases the fines that can be imposed on controllers and processors: ranging up to €20 million or 4% of annual turnover, whichever is greater. In Ireland, enforcement notices are no longer required in advance of imposing liability. Regulators can now impose fines directly on controllers and processors.
This is a brief overview of the significant changes introduced by the GDPR and the likely challenges preparation for the new regime presents for funds industry participants. In advance of 25 May 2018, funds, administrators and third party service providers need to be and should be fully aware of the impact of renegotiating agreements and altering existing systems.
The content of this article is provided for information purposes only and does not constitute legal or other advice.