How will the GDPR affect investment funds?
Gareth Morgan, Collas Crill, Senior associate, Guernsey, 26 January 2018
In the ninth of our series of regulatory columns by experts in Guernsey’s legal sector, the senior associate in the corporate and commercial team at Collas Crill tells us how the European Union's General Data Protection Regulation will affect investment fund structures.
The General Data Protection Regulation (GDPR) is the current office ‘crusade du jour’ in many a financial, legal or investment management firm here in Guernsey. The principal tenets of the regulation will become effective in many offshore jurisdictions through the extra-territorial effect of the regulation itself. In Guernsey, the Data Protection (Bailiwick of Guernsey) Law 2017 will guarantee the essential safeguards of personal data as set out in the GDPR, so that Guernsey maintains its current status as an ‘adequate’ jurisdiction internationally.
As readers of Compliance Matters know, the GDPR will affect all firms that deal with the personal data of EU citizens. We may profess to understand its aims (stronger protections for personal data throughout the EU and those jurisdictions that deal with the EU), but when we put it into practice we shall have to give some thought to revising our service providers' processes and procedures. Particular markets will face unique challenges in terms of compliance with the GDPR and the DP Law; this article is going to concentrate on the investment funds sector.
Data protection principles
The DP Law will revise the fundamental principles of data protection in line with the GDPR. It requires financial and other firms to process personal data:
- lawfully, fairly and transparently;
- in accordance with specified, explicit and legitimate purposes;
- only to the minimum extent necessary;
- accurately;
- stored no longer than is necessary for its purpose;
- with integrity and confidentiality; and
- with accountability (by the controller/processor).
What does this mean for a run-of-the-mill investment fund structure?
Investment funds can be complex animals, so it is not always immediately obvious which persons, companies, service providers etc, might be engaged in the controlling or processing of personal data for the purposes of the GDPR and the DP Law and, indeed, what personal data they may hold or need to hold.
When an investor applies to subscribe for an investment in a fund, he will typically be required to provide his name, date of birth, postal address (and proof thereof), payment details and tax residency (in accordance with established anti-money laundering and "know your client" policies in place from time to time). This is a relatively short list of requirements (painful as it may be to have to deal with at times), but consider what this involves in terms of handing over personal data: photo identification, utility bills with personal addresses, the disclosure of source(s) of wealth/funds, employment details, dependants, investment profile information and more.
This is sensitive data that the party or parties that collect it must respect. It is not necessarily restricted to data about investors: an investment manager set up alongside a fund will have obligations under the GDPR and the DP Law with regard to data about the investment manager's employees.
Who are the data controllers/processors in an investment fund context?
Investment funds usually operate under the supervision of a board of directors, who will often delegate certain roles and powers to an investment manager (unless the fund is self-managed). In the context of data protection legislation, the investment manager, the fund itself and the relevant administrator could probably be construed as ‘data controllers’.
Additionally, either the fund board or the investment manager will appoint a range of other service providers to suit the type of fund and its needs. For a single investment structure there might be, in addition to an investment manager, a transfer agent, a distributor, a custodian and a company secretary. Such service providers would generally be considered to be ‘data processors.’ Some of those service providers may well outsource certain functions to subsidiaries or third-party agents, further widening the net of potential data predators.
An investor will invariably provide some or all of the information discussed above to one or more of these service providers, either in order to abide by the contractual obligations of investment in the fund (these are usually set out in the information memoranda and subscription documents), or to comply with the ‘know your customer’ and anti-money-laundering policies and procedures of the relevant service providers.
It is also likely that such service providers will have to share investors' data between themselves to do their jobs in the structure. They will process and store this personal data both for their own purposes and on behalf of the fund.
Coming back to the fund itself, the board of directors will of course have to ensure that, at each level where data is controlled, processed, stored etc, there are enough safeguards and processes in place for the proper governance and protection of the personal data of investors. As a result, broad and permissive delegation powers often found in investment management and administration agreements will have to be made subject to (among other things) the delegate's ability to demonstrate effective compliance with the GDPR and the DP Law.
What can or should be processed?
With regard to the type and substance of the data held or to be held at each level in a fund, the relevant key principle from the DP Law is that the data should be:
"adequate, relevant and limited to what is necessary for the purposes for which it is processed".
This needs to be considered carefully on a service-by-service basis. The information about an investor that is "necessary" for, say, an administrator to hold might not be justifiably necessary for a distributor or an investment advisor to hold, so uncertainty surrounds the volume and type of information that such entities can pass between them.
Service providers will have to be able to show the Government that the ‘data subject’ (i.e. the investor) has freely consented to the processing of his personal data in a clear and affirmative way. A general indication of consent from the investor set out in a subscription form will not be sufficient (the consent must be clear and specific) and cannot be used as a blanket permission to control a person's data.
As consent cannot be withdrawn, it should not be obtained where the data controller/processor has a ‘specific, explicit and legitimate purpose’ in collecting and processing the data, such as for compliance with anti-money laundering legislation. Many standard-form fund subscription agreements will therefore require a thorough upgrade to make the investor's consent and information rights specific.
Service providers classed as data processors (these could take the form of agents, sub-custodians and investment advisors) will be directly liable for their activities relating to the processing of personal data. They will no longer be able to pass on responsibility to the relevant data controller. Furthermore, the precise remit of the data processor with regard to processing investors' data will have to be set out in clear instructions from the data controller in the relevant service contract.
Additionally, data subjects must be informed of their rights under the DP Law and the GDPR and how to exercise them. A logical place for this information is in the fund's information documents (scheme particulars, prospectus, etc) as this is the investor's prime source of information about every fund.
Who is responsible?
As mentioned above, data controllers and data processors have direct liability for their activities regarding personal data and are responsible for setting up appropriate safeguards. However, the board of a fund which has appointed these service providers should keep a superintending eye on things and ensure that safeguards are in place at every level.
The penalties for breaching the DP Law are more significant than under the existing data protection regime, with fines of up to £300,000 or 10% of global annual turnover (up to a limit of £10 million) possible for breaches of the fundamental principles established under the DP Law.
That being said, the board of a fund will invariably rely upon the administrator for the bulk of the data processing, particularly as it is part and parcel of the administrator's on-boarding process for investors. With this in mind, administrators may well find themselves under particular scrutiny when touting for fund business; a service provider who can show a fund that it has the ability and infrastructure to comply with the GDPR in an efficient and cost-effective manner is going to have a competitive advantage.
A data revolution in the funds industry?
Data is fast becoming one of the most prevalent, and valuable, commodities on the planet. As regulation evolves, so must the market. When considering the effect of the GDPR and related legislation abut funds, the directors of said funds and all the service providers will have to assess their own obligations. In short, every participant must understand his responsibilities.
The being said, the GDPR and DP Law have, in effect, tinkered with an established regime to make it tighter, more transparent and fairer for data subjects but the basic structure, with which investment funds and service providers have all been complying for many years, is still there.
So a revolution this is not, and as long as all data controllers and processors evolve sensible procedures and documents at an early stage to help themselves use and safeguard investors' data appropriately, we can look forward to business as usual.
* Gareth Morgan can be reached on +44 (0) 1481 734264 or at gareth.morgan@collascrill.com