STATE OF PLAY
COMMENT:
DATA PROTECTION: 4 KEY QUESTIONS FUND MANAGERS MUST ANSWER
6 minute read time
Jonathan Pillinger Cork
GROUP DATA PROTECTION OFFICER – AZTEC GROUP
STATE OF PLAY
COMMENT:
DATA PROTECTION: 4 KEY QUESTIONS FUND MANAGERS MUST ANSWER
6 minute read time
Jonathan Pillinger Cork, Group Data Protection Officer – Aztec Group
News of data breaches caused by hacks or negligence are all too commonplace these days. It’s imperative, therefore, that companies develop robust processes and controls for handling people’s data to manage these risks, as Jonathan Pillinger Cork, Group Data Protection Officer at Aztec, explains.
It may sound simple, but good data protection is about getting the right procedures in place, knowing what personal data you hold, and ensuring key documents are ready in case the regulator or a data subject comes calling.
Funds, GPs (in their own right or as the governing body of the fund) and the multitude of other structures active in private markets which deal with personal information, are all potentially subject to state and continental data protection law – and are therefore in scope when it comes to fines and regulatory action.
The introduction of GDPR in 2018 for countries in the European Union (including the UK at the time), and the mirroring of these regulations in the Channel Islands has meant that, to some extent, compliance with data protection law has become easier. But with the law still open to interpretation, discussion and ambiguity, it is important that all organisations take action to ensure they do not leave this risk unmitigated.
As a rule, most funds process minimal amounts of personal information, but with some of it especially sensitive, and with many funds crossing national boundaries, the level of risk is not sufficiently reduced to ignore the guidance and direction of regulators.
Despite being the predominant data protection legislation in Europe, and perhaps globally, it seems GDPR was not designed for complex fund structures. The guidance and applicability of GDPR regulations therefore is open to interpretation, and the expected changes to UK data protection legislation will only add to this complexity.
So, what are some of the key questions alternative investment fund managers and General Partners should consider when it comes to data protection, and what changes could be made to processes, to ensure compliance with GDPR in the EU, the Channel Islands and the UK?
1 Does GDPR even apply to my fund?
First, you need to understand whether GDPR even applies to your fund. And the short answer is, if your fund processes people’s personal information and is established in the EU, then probably. If it processes the personal data of EU citizens and markets its product within the EU, then probably, too. The names of GP Directors or of those providing third party services to them, the individual investors or UBOs in the fund, or details of the manager of the fund, are all likely to be considered personal information - meaning GDPR regulations are likely to apply.
2 What do I need to have?
Where GDPR does apply, a fund should have a data protection policy signed off by their board or GP, setting out how it plans to comply with the relevant data protection law, that it’s committed to upholding the rights of individuals concerning their data and that it has in place appropriate security. A fund should also have a fair processing notice for their ‘employees’ - stating what information they process and how individuals (data subjects) can exercise their rights. A fund should also have a fair processing notice for non-employees (including investors), setting out how personal information is used and how data subjects can exercise their rights. Whilst there are proforma polices available online, it’s best to engage a data protection expert to draft these for you, to give you the confidence they’ve considered the specific complexities of your fund, and the differing rules in your jurisdiction. The final one of the ‘big four’ documents you should have is a register of processing activity or RoPA - this is a list of all the personal information the fund processes, where it’s stored and what reason you have for holding it.
2 What do I need to have?
Where GDPR does apply, a fund should have a data protection policy signed off by their board or GP, setting out how it plans to comply with the relevant data protection law, that it’s committed to upholding the rights of individuals concerning their data and that it has in place appropriate security. A fund should also have a fair processing notice for their ‘employees’ - stating what information they process and how individuals (data subjects) can exercise their rights. A fund should also have a fair processing notice for non-employees (including investors), setting out how personal information is used and how data subjects can exercise their rights. Whilst there are proforma polices available online, it’s best to engage a data protection expert to draft these for you, to give you the confidence they’ve considered the specific complexities of your fund, and the differing rules in your jurisdiction. The final one of the ‘big four’ documents you should have is a register of processing activity or RoPA - this is a list of all the personal information the fund processes, where it’s stored and what reason you have for holding it.
"GDPR isn’t just about having a set of policies in place. Its primary objective is to protect the personal information of data subjects."
3 What do I need to do?
GDPR isn’t just about having a set of policies in place. Its primary objective is to protect the personal information of data subjects. A fund that holds personal data should therefore design and implement robust processes and controls to ensure that the protection you have in place is appropriate. A fund should also implement a process for handling any requests that come in from the data subjects or the regulator.
GDPR is not prescriptive in the security it recommends for personal data – only that it should include ‘appropriate technological and organisational controls.’ A fund should consider measures such as, limiting data access to those who need it, ensuring access is based on authentication of users, storing and transmitting any data in encrypted form and removing personal data when it is no longer required. If a data subject was to make a request for their information, the fund should have a process in place for handling this, one which outlines the necessary steps and those with responsibility for taking them. A fund should have contracts in place which reference personal data and the responsibilities of all parties.
"Don’t collect too much personal data. If you don’t need the information, then it’s likely not to be permitted under GDPR. "
4 What should I not do?
There are several easy mistakes funds and their GPs make when handling personal information, so here’s some things to remember:
- Don’t collect too much personal data. If you don’t need the information, then it’s likely not to be permitted under GDPR.
- Don’t ignore the purpose of collecting personal data and collect more than is necessary. It may be that you need to identify individuals, carry out background checks and pass specific information to financial regulators, but this doesn’t mean you need to know absolutely everything about a particular individual.
- Don’t ignore the volume of personal data you collect. Personal data can easily build up, and issues can be ignored until it’s too late, at which point external experts may be required to help sort out the accumulated information.
"It may be that you need to identify individuals, carry out background checks and pass specific information to financial regulators, but this doesn’t mean you need to know absolutely everything about a particular individual."
It may be that you consider your fund to be very low risk, processing only small amounts of what you consider to be incidental personal data. But even if that is the case, the purpose of addressing these four questions is risk mitigation, and go some way to helping with compliance. However, it should also be kept in mind that GDPR is complex and with jurisdictional divergence, this is likely to increase.
The UK government is currently considering a new Data Protection and Digital Protection Bill, which will likely move the UK away from GDPR; the intention of which is to free up business to pursue opportunities to use data in an economically beneficial way. The expected changes include removing the need to have a Data Protection Officer, changing documentation requirements and removing some of the restrictions on using the legitimate interests processing basis. The new Government is currently re-considering these proposals.
While these are potentially helpful developments, they will add a layer of complexity, especially when dealing with funds, individual investors, and administrators all potentially based in different jurisdictions, such as EU, UK and US.
Whilst the US have agreed a replacement system for Privacy Shield, which should facilitate the flow of personal data with the EU, exactly how this will operate in practice and whether it will survive any legal challenge, is still open to question.
Aztec will soon be launching a new product aimed at General Partners, which will handle many of the issues outlined above including managing data breaches, drafting documents and reporting on key developments. Keep a look out for ‘AztecDPO’ and contact us at dataprotection@aztecgroup.co.uk for further information.
Aztec Group is authorised to carry on financial services in the jurisdictions in which it operates.
© 2022 Aztec Group.