GDPR: How Asset Managers Can Comply by May Deadline

On January 28, 2018, the world celebrated the official Data Privacy Day.  Every year on this day, businesses recognize their responsibility to protecting the privacy of their clients and employees.

Firms understand their responsibility to protect an individual’s right to privacy; however, many of these organizations continue to be challenged with the ability to effectively identify, classify and safeguard their data.

Regulators continue to express their concern and develop rules that require firms to dedicate more time and resources to solve the problem. The European Union, for example, has issued the General Data Protection Regulation or “GDPR” which imposes strict data protection requirements on firms established in the EU as well as on all firms that control or process European personal data.  

Asset Managers and Private Funds are struggling to understand the complexity of GDPR and how the permutations of rules may apply to their data. The definitions are broad, but asset managers that have office locations in the EU, employ EU nationals or market to European investors realize they are considered to be “controllers” or at least “processors” of EU personal data under the GDPR.

To assess the exposure and the ability to comply with the GDPR, asset managers should be able to answer:  

• Do we capture EU data? – Personal data that is subject to the regulation is broader than an individual’s contact details and the information may not always be easily identifiable in offering documents, LP agreements, client and vendor documents or other related files. 
• Where does the data reside? – GDPR expects firms to be able to identify and classify EU personal data that is stored internally or with a third-party administrator. The ability to identify and map the flow of personal data supports the GDPR requirements to provide specific rights to an individual, which include rights associated with access, rectification, erasure, portability and processing of personal data. 
• Can we collect the required consent? Fund managers will be required to establish a lawful basis for processing personal data and document consent from the data owner, which may include current and prospective investors, sub-advisors, and other participants.  
• Are the current policies and controls sufficient? – Asset managers may not have the requisite data governance and security control framework to support the GDPR requirements.  A comprehensive framework should define controls for internal processing data, transferring data outside of out of the European Economic Area (“EEA”) and activities conducted by external third parties.  
• What happens in the event of a data breach? – Although many firms have implemented cybersecurity and data protection controls, many of these detective measures are not able to identify the impact of the data breach and allow management to report the event to the relevant authorities within 72 hours as required by the GDPR.

Asset managers that are subject to GDPR will need to implement a data governance and control framework to effectively comply with the regulations.  The framework is supported by multiple functions throughout the organization and should be able to identify personal information that is captured for each business activity, explain how the information is used internally and externally by third parties (e.g., marketing agents, distributors, administrators, depositaries etc.) and identify the specific storage locations.

All firms that are subject to GDPR must comply by May 25, 2018.  Many firms will not be ready to comply with the requirements by the end of the month and it’s unclear if supervisory authorities will provide any reprieve for partial compliance with the regulation.  The inability to comply could bring about the imposition of significant fines (up to 4% of the previous year’s annual global turnover or €20 million, whichever is greater).  The penalties are significant; however, given the global focus on an individual’s right to privacy, asset managers realize that the reputational impact associated with non-compliance can cripple a business which may outweigh any regulatory fine. 

Asset Management Intelligence – Q2 2018

• A Refresher on Broker-Dealer Expense Sharing Agreements
• The Fund Administrator’s Perspective: Real Estate Funds Poised for Robust Growth
• Technical Corrections Provisions Impact Partnership Audit Rules
• Alternative Investment Industry Outlook for Q2 and Beyond
• GDPR: How Asset Managers Can Comply by May Deadline
• Considerations for Establishing an Investment Fund in the Cayman Islands