What does a Fund need to do to prepare for the General Data Protection Regulation (GDPR) which will come into force on 25 May 2018?
The GDPR represents a radical EU-wide overhaul of existing data privacy legislation. Irish Funds need to ensure that they are in full compliance with the GDPR (and to be able to demonstrate how they comply with their data protection responsibilities) by 25 May 2018. Funds are in scope where they "control and are responsible for the keeping and use of personal information on computer or in structured manual files", for example, where they obtain and process customer due diligence documentation for AML/ CTF purposes. They will therefore be subject to specific statutory obligations under the GDPR, and liable to hefty fines of up to €20 million or 4% of annual turnover, as well as compensation claims from individuals for pecuniary or non-pecuniary loss (such as emotional distress) resulting from any infringement of the GDPR.
The GDPR will likely trigger some, if not all, of the below actions by Funds.
An assessment of all the personal data which a Fund holds and the purpose of collecting and processing it.
A review of how the Fund is currently capturing investors' consent to processing of their personal data, and consideration of whether this meets the more onerous requirements of the GDPR.
A review of existing security policies/procedures, and adoption of a "privacy by design" approach to data protection (such as pseudonymising and encrypting data), and a privacy by default approach (such as only keeping the minimum amount of necessary data). A Fund will also need to review its data breach response plan/ procedures to ensure it can report a breach to the Data Protection Authority within the statutory 72 hour time-limit.
A review and update of Fund prospectus and subscription forms to meet the increased information right of individuals. Funds will be required to provide a myriad of additional information to individuals at the time their data is collected, to ensure their data processing activities are transparent. For example, individuals will have to be informed of the legal basis for processing their data; the period for which their data will be retained; details of any data transfers out of the EEA, the existence of any automated processing, including profiling, and the consequences of such processing, and the contact details of a Fund's Data Protection Officer, if applicable.
A review and updating of current agreements with third party service providers (such as Administration Agreements) to include the more prescriptive obligations of service providers which the GDPR requires to be included in data processing contracts, as well as appropriate liability apportionment clauses.
A review of arrangements to ensure that the Fund and/or any of its delegates will not transfer personal data to a country outside of the EEA unless that country ensures an adequate level of data protection or appropriate safeguards are in place.
An assessment of the new and enhanced rights of individuals and obligations on the Fund and its delegates. A Fund will have to respond to an individual's request to access, erase, rectify, port, restrict or object to the processing of their data, within the one month statutory time-limit.
It will be important for Funds to factor in the time required to gather the necessary information and to agree new provisions (particularly with service providers) as well as allowing time for clearing documentation with the Central Bank, where appropriate.