On the 25th May this year the GDPR comes into force in the UK. This new data protection regulation is set to have a broad impact on businesses across industries, including the alternative investment sector. Compliance is not negotiable – with fines of up to €10m or 2% of turnover, or up to €20m or 4% of annual turnover, ignoring the new regulation could be incredibly costly. There are a number of key ways in which the GDPR will specifically affect the alternative investment sector.
Alternative investment sector data controllers
Definition: a natural or legal person, which, alone or jointly with others, determine the purposes and means of the processing of personal data.
Example: a fund umbrella
- Reporting a data breach – the GDPR introduces tighter reporting requirements and notification in a much shorter space of time (within 72 hours in many cases).
- Consent – gone are the days when a pre-ticked box granting consent across the board would be acceptable. The new regime demands granular consent for every purpose, which will require a review of fund subscription documents and online interactions.
- Reach – companies outside the EU providing services to EU data subjects or data controllers within the EU will also have to comply with the GDPR.
- Selection of data processors – the GDPR brings with it new rules on adequacy assessment and the need to include prescribed clauses in agreements, which will necessitate a review of administration agreements.
- Risk basis – the driving purpose of the GDPR is to enable a shift in attitudes to data management to put security first. This could require an infrastructure overhaul to ensure systems and processes are prioritising data protection.
- The rights of data subjects – the GDPR requirement to inform data subjects of their rights can be accommodated via a new data protection policy and enhanced disclosures in prospectus and subscription documents. Data portability and the right of data subjects to be “forgotten” will also need to be factored in.
Alternative investment sector data processors
Definition: natural or legal person who processes personal data on behalf of the data controller.
Example: a fund administrator
- Clarity of instructions – it may be necessary to review and tighten existing agreements to ensure clarity of instruction because the GDPR means that data cannot be processed other than in accordance with the instructions in the contract.
- New liability – liability no longer falls exclusively to the data controller for the actions of the data processor. Now, processors are directly liable for their own actions and must also take the appropriate security steps.
- Outsourcing – data processors (for example, delegates and administrators) appointing sub-processors must have the consent of the data controller (for example, the management company).
- Records and registration – it is no longer necessary to register with the Data Protection Commissioner but there are detailed requirements on documenting activities for businesses with more than 250 staff. All data processors are required to keep records of relationships with controllers - record retention policies may need to be reviewed to accommodate this.
From security, to compliance netConsult offers a range of packages to support your business through market and regulatory change. Get in touch with our team today to discuss how we could assist your alternative investment firm with a GDPR compliant infrastructure.
Author: Laura Zverko - Follow us on Google+