The General Data Protection Regulation (the “GDPR”) comes into force automatically in each of the European Union Member States (“EU”) on 25 May 2018. Data protection regulation is not new, with the GDPR building on what is currently in place across the EU. The GDPR, however, seeks to align and bolster the data protection regime across the EU.
This FAQ sets out some of the key questions that EU fund managers should be considering
to assess how the GDPR may impact them.
Part 1: Background
What does the GDPR do?
The GDPR will implement more stringent operational requirements for processors and controllers of personal data, including, for example, expanded notices about how personal information is to be used, limitations on retention of personal data, increased requirements to delete or hand over an individual’s information upon request, mandatory data breach notification requirements, requirements to maintain records of data processing activities and transfers of personal data, and higher standards for data controllers to demonstrate that they have obtained valid consent for certain data processing activities.
The personal data that businesses (including fund managers) should consider include both employee and investor/client/customer data. Personal data is data relating to a living individual (whether or not they are an EU citizen)¹ (referred to as a “data subject” in the GDPR) who can be identified from that data (or from that data and other information in the business’s possession). Personal data can include an individual’s business email address and contact details. Personal data may be found in employment agreements, limited liability partnership agreements, carried interest documentation, elections under section 431 of Income Tax (Earnings and Pensions) Act 2003 (so-called s.431 elections), know your customer (KYC) and related anti-money laundering information, subscription agreements and, potentially, side letters.
Controllers are those organisations or persons who control personal data – they determine the purposes for which the personal data is processed and decide what is done with it. Processors are those organisations or persons who process the personal data at the behest of the controller and in accordance with their instructions. They do not decide what happens to the personal data. Processing is defined broadly and encompasses most kinds of actions carried out with respect to the data, including obtaining, recording or holding the data, or carrying out any operation or set of operations on the data, or deleting, transferring or disclosing the data.
Depending on the particular fund structure employed, a fund’s general partner, manager and/or administrator (as applicable) would likely be considered a controller. It is also likely that the general partner or manager (as appropriate) would, in the ordinary course of business, engage third-party processors of personal data such as fund administrators, payroll firms, stock distribution agents, accountants, lawyers or companies engaged to dispose of confidential information.
Who does the GPDR apply to?
Broadly, the GDPR applies to controllers and processors established in the EU as well as controllers and processors not established in the EU where the activities the controllers or processors carry out either involve (i) offering goods or services (such as interests in the fund manager’s funds) to data subjects in the EU, and/or (ii) monitoring data subject’s behaviours in the EU (e.g., online tracking). This change from the previous data protection legislation will significantly increase the extraterritorial reach of European data privacy legislation.
Why does this matter?
The GDPR significantly increases penalties for non-compliance beyond what is available under current law, with fines for non-compliance of up to the greater of EUR 20 million or 4% of the business’s worldwide annual turnover. If an organisation’s privacy or data security measures fail to comply with the GDPR, the organisation may be subject to actions taken by the data supervisory authority, which may lead to enforcement orders, fines or other liabilities, as well as actions from individuals which may lead to claims for damages.
What are some of the key changes?
There are a number of changes that will occur when the GDPR comes into force. We outline some of the key ones below.
Breach Notification:
• A data breach consists of “accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
• Data controllers are required to notify the applicable data supervisory authority of certain data breaches without undue delay and, where possible, within 72 hours of awareness. A reasoned justification must be provided if this deadline is not satisfied.
• Data controllers may also be required to notify data subjects if the breach is likely to result in a “high risk” to the rights and freedoms of individuals. The notification should be without undue delay. A data supervisory authority may also require a data controller to notify the data subject.
One-stop Shop Approach:
• For businesses that carry out processing in multiple Member States, in what has become known as the “one-stop shop” approach, the GDPR enables controllers and processers to designate a single data supervisory authority of a Member State to act as the “lead supervisory authority” charged with overseeing their operations from a data protection perspective. This authority will be the one in the Member State in which the entity has its “main establishment”.
Consent:
• Under the GDPR, there are more detailed conditions for using consent to enable data processing, namely consent must be “freely given, specific, informed, and unambiguous”. In cases of sensitive personal data it must also be “explicit”.
• The new requirements will make consent more difficult to rely upon as a valid basis for processing and transferring data. Other lawful bases to process personal data may be relied upon if possible, e.g., as part of the performance of a contract or for relevant legitimate interests.
Data Subject Rights:
• Data subjects will now have expanded rights including the right to port personal data between service providers (known as data portability) and the right to object to automated decision-making.
• Protocols for dealing with data subject complaints/objections/requests for rectification and erasure as well as to access data (i.e., subject access requests) have also been updated.
Data Protection Officers (“DPOs”):
• Some businesses will be required to appoint a DPO. A DPO must be an expert in GDPR data protection laws and practices.
• This obligation applies to (1) all public authorities, (2) entities whose core activities involve “regular and systematic monitoring of data subjects on a large scale”, and (3) entities who conduct large-scale processing of special categories of personal data (e.g., race, religion, etc.). This is therefore unlikely to be applicable to most fund managers.
We should also note that although the GDPR seeks to harmonise data protection laws across the EU Member States, there are certain areas where EU Member States can increase protection, most notably with respect to employee data. Certain countries including Belgium, France and Germany have already made, or intend to make, use of this option.
Will Brexit mean that the GDPR will not be applicable to the UK?
No. The UK will be a member of the EU when the GDPR comes into force in May 2018. The GDPR therefore will be directly applicable until such time as the UK formally leaves the EU. Even when the UK leaves the EU, it is likely that it will continue to apply the requirements of the GDPR to its domestic law. The prudent approach is therefore to work on the basis that the requirements of the GDPR will apply in the UK for the foreseeable future.
Part 2: GDPR and EU fund managers
Fund managers located in the EU will be affected by the GDPR, given that they will process employee data and given that they will likely process personal data relating to fund investors.
How will the GDPR impact EU fund managers?
EU fund managers will have to meet the requirements of the GDPR as applicable to them and the specifics of their business. As a preliminary step to compliance, the fund manager should carry out a GDPR compliance project, taking into account the next steps outlined below. This would include carrying out a data mapping exercise and putting in place appropriate documents and agreements with respect to any personal data, including employee and investor personal data that the fund manager processes. In addition, if any personal data that the fund manager processes is transferred outside of the EU (including to the EU fund manager’s parent or sister companies), then unless that country, territory or sector ensures an adequate level of protection in relation to the processing of personal data, a mechanism to transfer that personal data will need to be put in place, such as a data transfer agreement based on the model clauses or binding corporate rules.
A data transfer agreement based on the model clauses is a simple standard form, non-negotiable document that is approved by the EU Commission. Once signed, the contractual protections are considered adequate to allow the export of personal data from the EU.
Binding corporate rules are internal and legally binding rules for handling personal data. The rules must meet certain requirements and must permit data subjects to enforce their rights. Data supervisory authorities must sign off on the rules.
What next steps should an EU fund manager be taking to prepare for GDPR?
- These are the initial areas where work should be undertaken by EU fund managers to ensure that they are ready for the implementation of the GDPR:
- Map the personal data you collect, store or process in the EU, including what it is used for and how long it is kept.
- Review and update data protection policies and/or notices (this includes privacy policies and employee data protection notices).
- Review and update agreements in relation to the transfer of data, including international transfers.
- Review and update employment documentation.
- Review and update fund documentation to the extent necessary (e.g., consider the inclusion of provisions in the fund subscription agreement which refer to and/or include a privacy policy).
- Review information security policy.
- Review default data retention and erasure practices and policies.
- Consider the processes in place for handling data breaches and prepare a data breach policy/process.
- Train staff on data protection practices and breach.
- Consider whether a DPO will need to be appointed (although this is unlikely to be necessary for the majority of fund managers).