Like the Directive, the GDPR distinguishes between data controllers (the entity that exercises control over the processing of personal data) and data processors (service providers that process data on behalf of data controllers). Every entity in the funds industry ecosystem that handles personal data – including fund vehicles, investment managers, general partners, transfer agents, trustees, custodians, depositaries and administrators – must assess whether it is a controller or a processor in respect of that data.
Funds vehicles that are self-managed (structured as a company with its own board) will usually determine the purposes of data processing and will therefore be data controllers. But where a third-party adviser (for example, an investment manager or general partner) is responsible for decision making about data processing, that party will be the data controller. Whichever role applies, there are significant new responsibilities for both controllers and processors that, in most cases, will fundamentally change how a fund processes personal data and its relationships to service providers handling the fund’s personal data holdings.
Many funds have significant operations in the EU and are already subject to the Directive as data controllers “established” within a Member State. In a significant new development, the GDPR expands the territorial scope of the existing data protection regime and now captures entities established outside the EU in certain circumstances. Whether or not the GDPR applies to these funds will require a case-by-case assessment. For example, non-EU funds could be subject to the GDPR if they conduct marketing activities through marketing teams or representatives based in the EU, even if the data is stored outside the EU. Non-EU funds that are subject to the GDPR will be required to appoint an EU-based representative in connection with their GDPR obligations.
The GDPR introduces a hefty competition-like sanction regime with potential fines for violation of core data protection requirements (including processing without valid consent, breach of individuals’ rights or unlawful data transfers) of up to the higher of 20 million euros or 4% of global annual revenues, or up to the higher of 10 million euros or 2% of global annual revenues for violations regarding notification of data breaches, data processor terms and other requirements.
Funds handle significant amounts of personal data relating to investors, business contacts and employees. Accordingly, these businesses should act now to assess their data protection policies and practices, perform a gap analysis to identify the areas requiring changes and start to implement the changes in time for the GDPR’s implementation.
Review and Update Privacy Notices
Data controllers are already required to give individuals certain information about data practices (usually through a privacy notice), such as the identity of the data controller and how the data will be used. The GDPR requires much more detailed information to be provided, in concise, easy to understand and clear language, including:
- the legal basis justifying the processing of the data;
- data retention periods;
- any transfer of the data outside the European Economic Area (the EEA, comprising the EU Member States, Norway, Iceland and Lichtenstein); and
- individuals’ rights, including the right to lodge a complaint with the Data Protection Authority (DPA).
Review The Legal Bases For Data Processing
Like the current framework, the GDPR requires that data controllers have a “legal basis” to process personal data. Examples include individual consent, necessity to perform a contract or to comply with legal obligations, or the “legitimate interest” of the data controller or a third party.
Most of the data processing activities typically carried out by funds are likely to be justified by the legitimate need to perform obligations under the subscription agreement, other fund documentation or to comply with legal obligations, while others (for example, marketing) are usually based on “consent” from individuals.
The GDPR significantly tightens the rules for obtaining consent. Consent must be an affirmative indication by individuals that they agree to their personal data being processed for clearly identified and specific purposes. Silence, inactivity or pre-ticked boxes are invalid. For sensitive data and certain processing activities (for example, transfer of data outside the EEA), consent must be “explicit,” and the request for consent must be presented in a manner that is clearly distinguishable from other terms. Funds will need to consider how they present consent requests or form. In addition, individuals must be able to withdraw consent at any time and in an easy way.
The GDPR requires data controllers to demonstrate that they have a legal basis for the processing, through appropriate documentation.
To Do: Consider the types of data processing you carry out, identify and document the legal basis you are relying on for each purpose for which you are processing data. Where consent is the legal basis for the processing, assess whether those consents meet the GDPR’s elevated requirements and review standard form language in the subscription forms and other documents you are currently using (unless another legal basis for processing can be established).
Review Procedures And Policies To Comply With Data Subject Rights
The GDPR offers enhanced data subject rights, including augmenting rights to access, erasure (the “right to be forgotten”) and to restrict “automated decision-making” (e.g., automatic refusal of an online credit application; e-recruiting practices without any human intervention), and a new right to “data portability.” The GDPR imposes tight timeframes for addressing the exercises of these new rights: data controllers will need to document that they have acted on a request – generally within one month of receipt.
To Do: Review your internal processes, staff training and IT systems and make any necessary changes to accommodate these new individuals’ rights.
Review Data Processing Agreements
Funds should already be familiar with current requirements to ensure adequate data processing terms in agreements with service providers (“data processors”) (for example, administrators, trustees and custodians, payroll processing and cloud service providers). The GDPR is much more prescriptive about the content of these terms (mandatory content includes restrictions on sub-processing, and cooperation with the data controller in fulfilling GDPR’s obligations and controller’s audit rights). The GDPR also creates direct legal obligations for data processors (including with respect to security measures, record-keeping obligations and cooperation with DPAs), which will likely have an impact on contractual negotiations.
To Do: Review processing terms in administration agreements and other contracts with service providers to ensure they contain required terms. Before engaging a data processor, assess the processor’s ability to ensure to comply with its increased obligations. And remember, data controllers are ultimately responsible for compliance with data protection principles and are liable for the failings of their processors.
Assess Joint Controllership Instances
Be alert to potential instances of “joint” controllership, which occurs when multiple entities jointly determine purposes or means of the data processing (for example, if affiliated funds in a group structure concur in taking decisions on how the data is processed). The GDPR requires the joint controllers to address their respective GDPR responsibilities in an agreement with one another and to make the “essence” of such agreement available to individuals.
To Do: Assess whether other entities, including affiliates, involved in processing personal data qualify as joint controllers and review your agreements with those entities as warranted. Your privacy notices must clearly identify joint controllers.
In exchange for eliminating the current registration or data processing notification requirement with DPAs, the GDPR now requires that controllers and processors keep detailed records of data processing. Records must be provided to DPAs upon request.
To Do: Develop and maintain records of processing activities.
Prepare Data Breach Procedures
Data controllers will be required to notify DPAs of certain “personal data breaches” within 72 hours after having become aware of a breach, unless they can show that risk to individuals is unlikely.
Likewise, affected individuals must be notified without “undue delay” if the breach is likely to result in a “high risk” to their rights and freedoms. Sensitivity of the data is a factor that should be considered when assessing whether there is a “high risk” associated with the processing. Controllers should also be familiar with certain exceptions to the obligation to notify individuals such as when the affected data is encrypted.
Data processors are required to notify controllers without undue delay after becoming aware of a breach. The absence of a definition for “undue delay” will result in negotiations over the time frame for processor notifications to controllers. Controllers will press for a quick time frame to ensure they can comply with the statutory time frame, while processors will press for greater latitude to minimize disruption associated with accurately ascertaining the facts of the breach.
To Do: Assess your internal policies and processes to ensure that appropriate procedures are in place to detect, investigate, report and document data breaches and to manage the fall-out from such reporting. Ensure that your service agreements incorporate appropriate data breach notification terms.
Implement Data Transfer Mechanisms
The GDPR prohibits the transfer of personal data to countries outside the EEA that do not ensure an “adequate” level of data protection unless certain conditions are met. These conditions are broadly the same as those under the current framework (e.g., self-certification to the Privacy Shield; use of model contract clauses). Consent can also be used for these transfers provided it meets the other conditions described above. Approved codes of conduct and certification mechanisms may be used in the future to provide further and alternative authorisation for data transfers.
To Do: Be aware of your data transfers outside the EEA – both intragroup and to service providers – and review the mechanisms you rely on to accomplish such transfers. If your data export strategy is built around consent, assess whether existing consents meet the GDPR’s elevated requirements and evaluate whether consent is a practical solution for your data transfers, especially since consent can be withdrawn at any time and, due to its nature, is subject to a restrictive interpretation by DPAs.
Other New Requirements
Data Protection Officer
The GDPR requires businesses to appoint a Data Protection Officer (DPO) in specified circumstances, most notably where an entity’s core activities consist of (i) processing of personal data about criminal convictions and offences or sensitive data, or (ii) regular and systematic monitoring of data subjects, in either case on a large scale. This requirement is unlikely to apply to most funds.
To Do: Assess whether any of your core activities would require you to appoint a DPO and document this internal analysis. If you have already hired a DPO you should review the job functions of the position and compare them to the GDPR’s requirements (expertise and independence), and adapt the functions as warranted.
Privacy By Design And By Default; Privacy Impact Assessments
Data controllers must implement appropriate security measures into data processing activities (“Privacy by Design”), such as pseudonymisation - the separation of data from direct identifiers so that linkage to an identity is not possible without additional information that is held separately. They must also ensure that processes in place are such that, by default, only personal data that is necessary for each specific purpose is processed (“Privacy by Default”).
The GDPR also requires data controllers to conduct a Privacy Impact Assessment (PIA), prior to data processing that is inherently “high risk”. Provided data processing is activities limited to such activities as marketing, performing obligations under fund documentation and complying with legal obligations, funds are unlikely to carry out the kind of processing which triggers the requirement for a PIA.
To Do: Ensure that your information systems, privacy programs and processes address the GDPR’s Privacy By Design and Privacy By Default requirements. This requires examining the life cycle of personal data that is handled against the requirements of the GDPR. You should also consider assessing whether a PIA may be required for your processing activities.
Identifying the Lead DPA
Funds with multiple establishments in the EU (or whose sole EU establishment carries out data processing activities which substantially affect individuals in multiple Member States) may now benefit from a new ‘‘one-stop shop’’ approach to enforcement under which the DPA of the entity’s “main” establishment acts as the “lead” DPA to coordinate investigations and enforcement actions concerning such entity’s compliance with the GDPR, thus avoiding having to deal with multiple DPAs.
To Do: Identify where your “main establishment” is and who your lead DPA will be, and document the internal analysis in the event DPAs seek support for your conclusion about your main establishment.
Given the increased penalties that will apply under the GDPR and the potential for reputational harm, data protection compliance should not be seen as a box-ticking exercise. Ongoing compliance will require funds to build a data protection culture within their organization and implement robust policies and procedures to demonstrate data protection compliance.
Funds that have not started their GDPR’s preparations should act now to assess their policies and practices around transparency, accountability and data governance; review subscription agreements, disclosures and other documents, data processing terms in service agreements; and implement any changes required to ensure compliance with the GDPR, before it goes into full force in May 2018. The following initial steps can guide your preparations:
- Audit current data protection practices. This should at minimum involve mapping:
- How personal data is obtained;
- The legal basis for the processing (e.g., consent);
- With whom personal data is shared and why;
- How and where personal data is stored and secured;
- To which non-EEA countries personal data is transferred.
- Perform a gap analysis to identify the areas requiring changes to comply with the GDPR.
- Start to implement the changes in time for the GDPR’s implementation to test for and address compliance challenges.
Moreover, since EU Member States are empowered to adopt additional requirements or derogations in certain areas (for example, employee data) and retain specific requirements for regulated activities (e.g. financial institutions), funds will need to assess and stay informed of derogations relevant to activities within applicable Member States.
Goodwin’s Data, Privacy and Cybersecurity Practice is one of the longest-standing privacy practices of any global 50 firm and has been ranked among leading law firms for privacy and cybersecurity, including by Legal 500 and Chambers. It fully integrates and leverages the firm's core strengths, with the group's lawyers coming from the technology, financial institutions, licensing, litigation, and regulatory practices. The team has handled hundreds of data breaches investigations, litigated landmark privacy cases, and defended clients in investigations and enforcement actions brought by state attorneys general and federal data protection regulators. Goodwin provides clients with practical advice on all aspects of information-related management, including the establishment of comprehensive privacy programs, audits, transactional due diligence and compliance with domestic and international privacy laws.
To learn more about how Goodwin can help your company address privacy and cybersecurity requirements, contact Gretchen Scott.