GDPR VS. THE FUND INDUSTRY
In the light of the new legal GDPR requirements, there is number of steps fund managers and investment companies will have to take in order to secure full compliance with the new data handling regime.
It is hard to think of a business sector that wouldn’t be affected by the General Data Protection Regulation (GDPR). The regulation, which comes in force on 25 May 2018, is about to completely change the way in which personal data is collected, handled and used globally. Some companies will have to completely re-think their business models, others are forced to make smaller or bigger adjustments, but changes in their day-to-day data handling are definitely required. When it comes to the fund industry, the situation isn’t much different. Although not as drastic as it is for the heavily web-based businesses, in the light of the new legal requirements, there is number of steps fund managers and investment companies will have to take in order to secure full compliance with the new data handling regime.
GDPR in brief
GDPR is a regulation by which the European Union tries to strengthen and unify data protection for all individuals within the EU. It replaces the data protection directive implemented in 1995 and is directly binding and applicable in all EU member states without requiring national governments to pass any enabling regulation. Its main goal is to give control back to citizens and EU residents over their personal data and simplify the way international businesses make use of that data by applying unified regulation across the EU member states. Whether they are employees, investors in a fund, co-investors, customers or employees of portfolio companies, funds, fund managers and investment companies will have to put all of the above mentioned stakeholders in full control of their personal data such as a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
It is also important to remember that the new data protection regime applies not only to EU-based businesses, it extends the scope to all foreign companies processing data of EU residents.
Implications for fund managers and investment companies
To be able to understand what kind of changes fund managers and investment companies are required to implement, it is important to first differentiate between Data Controllers, Processors and Data Subjects in their businesses:
Data Controllers are entities collecting data from EU citizens. In that sense, Data Controllers will be funds, fund managers and investment companies.
Data Processors are entities which process the personal data on behalf of Controllers, for example third party service providers. In that sense, fund administrators, placement agents, external valuation providers and distributors are most likely to be considered Data Processors.
Data Subjects are all individuals whose personal data are being collected and processed by Data Controllers and Data Processors, e.g. fund investors, co-investors, venture partners, fund managers’ and investment companies’ employees, and employees of portfolio companies.
Although data processing is not a primary function of fund managers and investment companies, these companies will, however, from a practical point of view and in order to be compliant, have to take more accountability for their personal data collection- and processing practices.
Rights & Obligations
In the light of the GDPR, data subjects (owners) gain right to:
- Being informed about the purpose of the data use at the point of data collection or within reasonable period afterwards,
- Access data which have been collected concerning them and to exercise that right easily and at reasonable intervals,
- Rectify inaccurate data,
- Be forgotten (to delete their data upon request),
- Object to the processing of any personal data relating to their particular situation,
- Transmit their data to another controller (also known as data portability),
- Not to be subject to a decision evaluating personal aspects relating to them which is based solely on automated processing and which produces legal effects concerning them.
Businesses controlling and/or processing personal data are obliged to comply with the following requirements:
- Purpose limitation – data is to be kept for specified, explicit and lawful purposes and not further processed for any other purposes
- Data Minimalization – stored data should be adequate, relevant and not excessive. Companies can only keep the minimum amount of personal data needed for the purpose for which it is processed and should avoid keeping of irrelevant or excessive data
- Relevance – data needs to be kept up to date
- Storage Limitation – data should be stored only for as long as it is necessary and not kept on a “just in case”-basis
- Security Measures – all measures should be taken to keep collected data as safe as possible from potential leakage, unauthorized access or destruction of the data
- Third Country Transfer – ensuring that transfer of personal data outside the EU to third countries or international organisations is compliant with the GDPR’s restrictions on such transfers
- Appointment of a Data Protection Officer (if applicable) – data controllers and processors must designate a Data Protection Officer if certain conditions are met (e.g. if large-scale data processing)
- Data Breach Notification – serious data breaches should be communicated to the national supervisory authority without undue delay
- Record keeping of data processing activities – controllers and processors should maintain records of processing activities under their responsibility
- Clear consent – data subjects should give consent for the collection and processing of their personal data by a clear affirmative act.
Companies failing to comply with the requirements of the GDPR may be exposed to the maximum level of fines, that is, up to 20 million euro or up to 4% of the total worldwide annual turnover, whichever is higher.
At Permian, we are taking all the necessary steps to secure our own operations as well as to make sure our customers are in good hands when considering us as their Data Processors. We may advise in 10 practical steps and measures fund managers and investment companies should take to bring their businesses in line with the GDPR.
If you have any questions and would like to learn about our experiences, measures, system automations, and data protection policies, or you are looking for help in improving your own operations, feel free to contact us at firstname.lastname@example.org