GDPR for UK regulated funds

GDPR requirements replace and extend the current data protection regime. This note summarises the main changes and sets out actions that fund managers must take.

It will not have gone unnoticed that we are now in the last 14 days before the EU General Data Protection Regulation 2016/679 (GDPR) comes into force on 25 May 2018.

The GDPR requirements replace and extend the EU's current data protection regime, and this note summarises the main changes from the current regime and sets out the actions that fund managers must take before then.

How we can help

GDPR requires controllers to inform each data subject of their rights in relation to personal data, which is being done by sending a data privacy notice to each existing investor and updating the application form to provide notice to future investors. The main priority for UK authorised fund managers over the next 14 days will be sending out these data privacy notices to investors. We have assisted various fund managers with their GDPR preparations, and in particular our template privacy notice has helped fund managers to prepare their notices in a short timeframe, so it may still be possible to send out your notices before this deadline. The "Preparations for GDPR" section of this article explains other actions that fund managers must take.

We are well placed to advise you on all aspects of your compliance with GDPR and have prepared various GDPR templates, including:

  • privacy notice for UK regulated funds
  • application form supplement
  • general data protection policy and sub-policies
  • supplier due diligence questionnaire
  • IMA clause template
  • website notice template, and
  • record of processing activities template.

Our team is available to assist with any final preparations that you may be making. Please do contact us if you require any advice on your GDPR implementation project or would like to see a full list of templates available.

The General Data Protection Regulation

The GDPR regulates the "processing" of personal data of individuals, where processing includes collecting, recording, storing, using, disseminating and deleting such personal data. The main GDPR terminology and its application to regulated funds are set out in the below table:

GDPR term Meaning under GDPR Effect for UK regulated funds
Personal data Information relating to a data subject that can be used to identify that person (for example name, ID number, address, and online identifiers) Any such information that is processed, whether held in electronic form or otherwise. This will likely include investor records, KYC documents, completed subscription forms, marketing databases.
Data subject A living person whose personal data is processed

Investors - who are natural persons or officers, employees, or beneficial owners of investors that are entities.

(Note: your employees and officers and those of suppliers and customers will also be data subjects under GDPR.)

Controller A person that determines how and why personal data is processed For UK regulated funds structured as OEICs, both the funds and the management companies are likely to be controllers.
Processor A person that processes the personal data as instructed by a data controller

Likely to include administrators, transfer agents, depositaries and IT providers.

(Note: a processor may also, for different purposes, be a controller of personal data.)

A controller must ensure compliance with the following data processing principles:

  • Lawfulness, fairness and transparency - personal data must be processed lawfully, fairly and in a transparent manner.
  • Purpose limitation - personal data must be collected for specified, explicit and legitimate purposes, and there should not be any further processing that is incompatible with those initial purposes.
  • Data minimisation - personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  • Accuracy - personal data must be accurate and kept up to date (if necessary), and every reasonable step must be taken to ensure inaccurate personal data is erased or rectified without delay (having regard to the purposes for which they are processed).
  • Storage limitation - personal data must be kept no longer than is necessary for the purposes for which the personal data are processed.
  • Integrity and confidentiality - there must be appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

Unlike the current data protection regime, the GDPR will be directly effective. In the UK, the Information Commissioners Office (ICO) will regulate the GDPR, although the Financial Conduct Authority (FCA) will consider a regulated firm’s compliance with GDPR requirements under their rules - in particular the rules in SYSC under which firms must establish, maintain and improve appropriate technology and cyber resilience systems and controls. A firm operating in multiple member states may designate the ICO as their “lead supervisory authority” if their main establishment is in the UK.

The GDPR will apply to data controllers outside of the EEA if they either offer goods or services to EEA-based data subjects or monitor the behaviour of EEA data subjects, and to the processors of such persons.

Changes from the current data protection regime

The main changes from the current data protection regime are:

  • Board responsibility - compliance with the GDPR is a board level responsibility and firms must be able to produce evidence to demonstrate actions taken to comply with the GDPR requirements.
  • Consent - there are stricter rules on obtaining consent of data subjects as a way of justifying the use of their data. Consent must be freely given, specific, informed and unambiguous. There are also specific rules requiring consent to electronic marketing, although these do not apply where marketing is to an organisation rather than an individual. As consent can be withdrawn, firms will not generally wish to rely on consent except where necessary in relation to marketing.
  • Information - data subjects must be informed of their rights and how they can exercise these. This will likely require amendments to subscription agreements and websites and the prospectus may need to be updated as part of the next general update if it currently contains data protection disclosures.
  • Rights of access - data subjects will have increased rights over personal data that may be held. In addition to the ability to request access to data that is held (which must now be done within 30 days), they also have rights to request corrections, to object to the processing of their data, the right to be forgotten and for the data to be transferred to another data controller (known as data porting).
  • Data protection officers - certain firms, for example those whose main activities involve regular and systematic monitoring of data subjects, will need to appoint expert statutory data protection officer. This is unlikely to apply to fund managers.
  • Record keeping - data processors and controllers must keep records of data processing activities carried out.
  • Notification of security breaches - a breach that does or may result in a high risk to rights of data subjects must be notified to the ICO within 72 hours, and data subjects must be notified without undue delay if there is a high risk to their rights.
  • Increased penalties - fines can be (i) the higher of up to 4% of global turnover or €20m for major breaches, and (ii) the higher of up to 2% of global turnover or €10m for more minor breaches. These fines are in addition to any damages claims brought by individuals.

Preparations for GDPR

The steps that authorised fund managers must take in preparation for the GDPR include:

  • Data audit. You will have already begun your data mapping exercise to identify all personal data (held both electronically or otherwise), including information on investors, marketing contacts, employees, and suppliers (or their employees). In particular it is necessary to identify data flows outside of the EEA.
  • Identify controllers and processors. Controllers and processors must be identified based on your specific circumstances, although for UK regulated funds it is generally the case that the fund and the authorised fund manager are both controllers of the same data but for different purposes. The analysis will likely be different for regulated funds in other jurisdictions that have a different fund structure.
  • Data privacy notices. Controllers must inform each data subject of their rights in relation to personal data, which is generally being done by providing a data privacy notice. Where both the fund and fund manager are controllers of the data held at the administrator, investors are usually being provided with a joint privacy notice , although the manager may be providing a separate notice to individuals whose data it has on its own systems. The form in which these can be provided is not defined and may be by email, post, updates to employee manuals, etc. - we are happy to advise on this based on your specific circumstances.
  • Contracts. Contracts between a controller and a processor must include specified GDPR processor provisions that allocate data protection responsibilities between the parties and set out what data processors may do with the personal data (including permissibility of delegation). We can assist you with updating your contracts - the main contracts to update will likely be delegation agreements (eg administrator agreements), although some agreements with suppliers may also need to be updated.
  • Marketing considerations (consent). You must update your marketing policies as necessary. These policies must reflect both GDPR requirements, and those under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) (which will be replaced by the e-Privacy Regulation).

    GDPR requires a lawful justification for the processing of an individual’s personal data, including use of that personal data (eg contact details) in the context of marketing. The GDPR lists out possible justifications available and, in relation to the sending of unsolicited marketing or advertising activity, the applicable justifications are where an individual has consented to the use of their data for that purpose, or that the marketing / advertising is necessary for the purposes of the legitimate interests pursued by the company (provided these are not overridden by the interests or fundamental rights and freedoms of the individual). Consent may specifically be required (under GDPR and/or PECR) if:
    • electronic marketing materials are sent to someone who is not or has not been a customer
    • the customer was not given an opportunity to opt-out of receipt of electronic marketing messages when the contact details were originally collected
    • the marketing materials relate to different products or services (ie products or services that the customer would not reasonably expect to be associated with the products or services they previously purchased or tried to purchase)
    • they otherwise exceed the boundaries of the legitimate interests justification because the activity goes beyond what an average person might reasonably expect and/or is unduly prejudicial, or
    • a PECR rule specifically requiring consent applies, which are when either using the location of a device on an electronic communication network (eg a mobile phone) or using “traffic data” (ie data about communications made over an electronic communications network, such as number called, time of call etc)
  • Review systems, policies and procedures. You must have systems, policies and procedures in place to enable and monitor compliance with GDPR requirements. As mentioned above, we have various templates that can help you update your policies and procedures more quickly.
  • Training. You must provide updated training on GDPR requirements to all relevant staff.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.