The General Data Protection Regulation is a fundamental re-thinking of the way business must deal with the data obtained from investors
With the GDPR implementation date of 25 May 2018 in mind, ALFI set up a working group on GDPR in October 2017 to analyse the implications of the new rules at the level of investment funds, their managers and service providers. The group agreed to collect feedback from members, which was published in a Q&A document for ALFI members at the end of April 2018. Three sub-working groups were set up to cover the analysis of general aspects, AML and tax considerations and the carrying out of a business impact analysis.
Personal data processed by investment funds and their managers typically include data of their employees, data obtained from investors and counterparties, data collected on portfolio investments and data of third-party service providers or other third parties.
As a first and essential step, ALFI’s members had to determine which entity in a given fund structure acts as data controller and data processor respectively. As highlighted in the Q&A, this requires an analysis of all data flows between all internal and external parties. By mapping data processing activities in such way, the entity defining the purposes and means of the processing of personal data (the data controller) can be identified as well as the entity processing data on behalf of the controller (the data processor). The purposes and means include the subscription of fund shares/units, the execution of AML/KYC checks on investors, the maintenance of shareholder/unitholder registers, the sending of investment information to investors, the execution of corporate actions, the distribution of cash, the provision of corporate secretary services and of tax reporting. It is important to note that the roles of data controller and data processor can vary in each case, which means that individual analyses must be conducted.
Once the parties involved have identified their respective roles, they can process data by respecting six basic principles. According to the GDPR, personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject;
- collected for specified, explicit and legitimate purposes and not processed further in a manner that is incompatible with those purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed;
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The data controller is responsible for compliance with these principles, and must be able to demonstrate such compliance. To this end, the fund or its managers (but also the processor) should keep records of all processing activities.
Service providers must be familiar with their obligations as data processors. Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject. The processor shall not engage another processor without prior specific or general written authorisation of the controller. If a processor infringes the provisions of the regulation by determining the purposes and means of processing, the processor shall be considered to be a controller in respect of that processing.
Senior Legal Advisor, ALFI