GDPR requirements replace and extend the current data protection regime. This note summarises the main changes and sets out actions that fund managers must take.
It will not have gone unnoticed that we are now in the last 14 days before the EU General Data Protection Regulation 2016/679 (GDPR) comes into force on 25 May 2018.
The GDPR requirements replace and extend the EU's current data protection regime, and this note summarises the main changes from the current regime and sets out the actions that fund managers must take before then.
How we can help
GDPR requires controllers to inform each data subject of their rights in relation to personal data, which is being done by sending a data privacy notice to each existing investor and updating the application form to provide notice to future investors. The main priority for UK authorised fund managers over the next 14 days will be sending out these data privacy notices to investors. We have assisted various fund managers with their GDPR preparations, and in particular our template privacy notice has helped fund managers to prepare their notices in a short timeframe, so it may still be possible to send out your notices before this deadline. The "Preparations for GDPR" section of this article explains other actions that fund managers must take.
We are well placed to advise you on all aspects of your compliance with GDPR and have prepared various GDPR templates, including:
- privacy notice for UK regulated funds
- application form supplement
- general data protection policy and sub-policies
- supplier due diligence questionnaire
- IMA clause template
- website notice template, and
- record of processing activities template.
Our team is available to assist with any final preparations that you may be making. Please do contact us if you require any advice on your GDPR implementation project or would like to see a full list of templates available.
The General Data Protection Regulation
The GDPR regulates the "processing" of personal data of individuals, where processing includes collecting, recording, storing, using, disseminating and deleting such personal data. The main GDPR terminology and its application to regulated funds are set out in the below table:
||Meaning under GDPR
||Effect for UK regulated funds
||Information relating to a data subject that can be used to identify that person (for example name, ID number, address, and online identifiers)
||Any such information that is processed, whether held in electronic form or otherwise. This will likely include investor records, KYC documents, completed subscription forms, marketing databases.
||A living person whose personal data is processed
Investors - who are natural persons or officers, employees, or beneficial owners of investors that are entities.
(Note: your employees and officers and those of suppliers and customers will also be data subjects under GDPR.)
||A person that determines how and why personal data is processed
||For UK regulated funds structured as OEICs, both the funds and the management companies are likely to be controllers.
||A person that processes the personal data as instructed by a data controller
Likely to include administrators, transfer agents, depositaries and IT providers.
(Note: a processor may also, for different purposes, be a controller of personal data.)
A controller must ensure compliance with the following data processing principles:
- Lawfulness, fairness and transparency - personal data must be processed lawfully, fairly and in a transparent manner.
- Purpose limitation - personal data must be collected for specified, explicit and legitimate purposes, and there should not be any further processing that is incompatible with those initial purposes.
- Data minimisation - personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Accuracy - personal data must be accurate and kept up to date (if necessary), and every reasonable step must be taken to ensure inaccurate personal data is erased or rectified without delay (having regard to the purposes for which they are processed).
- Storage limitation - personal data must be kept no longer than is necessary for the purposes for which the personal data are processed.
- Integrity and confidentiality - there must be appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Unlike the current data protection regime, the GDPR will be directly effective. In the UK, the Information Commissioners Office (ICO) will regulate the GDPR, although the Financial Conduct Authority (FCA) will consider a regulated firm’s compliance with GDPR requirements under their rules - in particular the rules in SYSC under which firms must establish, maintain and improve appropriate technology and cyber resilience systems and controls. A firm operating in multiple member states may designate the ICO as their “lead supervisory authority” if their main establishment is in the UK.
The GDPR will apply to data controllers outside of the EEA if they either offer goods or services to EEA-based data subjects or monitor the behaviour of EEA data subjects, and to the processors of such persons.
Changes from the current data protection regime
The main changes from the current data protection regime are:
- Board responsibility - compliance with the GDPR is a board level responsibility and firms must be able to produce evidence to demonstrate actions taken to comply with the GDPR requirements.
- Consent - there are stricter rules on obtaining consent of data subjects as a way of justifying the use of their data. Consent must be freely given, specific, informed and unambiguous. There are also specific rules requiring consent to electronic marketing, although these do not apply where marketing is to an organisation rather than an individual. As consent can be withdrawn, firms will not generally wish to rely on consent except where necessary in relation to marketing.
- Information - data subjects must be informed of their rights and how they can exercise these. This will likely require amendments to subscription agreements and websites and the prospectus may need to be updated as part of the next general update if it currently contains data protection disclosures.
- Rights of access - data subjects will have increased rights over personal data that may be held. In addition to the ability to request access to data that is held (which must now be done within 30 days), they also have rights to request corrections, to object to the processing of their data, the right to be forgotten and for the data to be transferred to another data controller (known as data porting).
- Data protection officers - certain firms, for example those whose main activities involve regular and systematic monitoring of data subjects, will need to appoint expert statutory data protection officer. This is unlikely to apply to fund managers.
- Record keeping - data processors and controllers must keep records of data processing activities carried out.
- Notification of security breaches - a breach that does or may result in a high risk to rights of data subjects must be notified to the ICO within 72 hours, and data subjects must be notified without undue delay if there is a high risk to their rights.
- Increased penalties - fines can be (i) the higher of up to 4% of global turnover or €20m for major breaches, and (ii) the higher of up to 2% of global turnover or €10m for more minor breaches. These fines are in addition to any damages claims brought by individuals.
Preparations for GDPR
The steps that authorised fund managers must take in preparation for the GDPR include:
This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.