Have you heard of the General Data Protection Regulation (GDPR)? This new regulation was adopted in April 14, 2016 and comes into effect in May 25, 2018. GDPR will institute major changes for both hedge funds and private equity managers with regards to the way they store and protect data. Those fund managers that are in violation of GDPR are also subject to significant penalties. Have you incorporated GDPR considerations in your ODD reviews? The good news is that it is not too late to start asking about it!
GDPR is also known as Regulation (EU) 2016/679 of the European Parliament. TheEU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe as well as to protect EU citizens data privacy across the region. The new GDPR regulations bring many revisions and stricter obligations over the previous regulations.
According to the EU’s FAQ on GDPR key features of GDPR include:
- Increased territorial scope
- Increased penalties – those organization in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater)
- Consent – the EU has strengthened the conditions surrounding the requirement for the disclosures regarding the consent given for the use of data to be in plain language and not full of complex legal terminology. Also strengthened are the rules surrounding the ease with which consent can be withdrawn
- Breach notifications – notification of any data breaches must be provided within 72 hours of a fund manager first becoming aware of the breach
- Right to access – Expanded rights for individuals to be able to obtain clarification as to whether or not personal data concerning them is being utilized, where and for what purpose
- Data erasure – Investors in a fund also will have a right under GDPR to have their data forgotten. Investors may also even have the ability to request that third-parties that the funds work with stop processing their data
- Data portability – GDPR introduces a new concept known as data portability which is the right for an investor, sometimes referred to as a so-called data subject in the regulations, to receive the personal data concerning them. Investors may also have the right to transmit that data to another entity such as a different fund manager.
- Privacy by design and data minimization requirements – these privacy and design concepts are integrated into GDPR and call for data privacy controls to be implemented as part of the initial design of a fund manager’s systems. An additional theme of GDPR is to collect and retain only the minimum amount of data required and limiting access to only essential personnel
Data Protection Officers, Controllers and Processors
GDPR contains a number of technical terms which fund managers must be familiar with in designing their policies and procedures to comply with this legislation. To catch up on terminology, under GDPR there are also entities known as a, “controller.” This is the entity that determines the purposes, conditions and means of the processing of personal data. A data, “processor” is an entity which processes personal data on behalf of the controller. Using this terminology, a fund manager would likely be the controller and third-party fund service providers would be processors.
There is also a requirement under GDPR for a fund manager in the majority of cases to appoint an individual to a position known as a Data Protection Officer (DPO). There are a number of similarities between the role of a DPO and compliance related roles such as a Money Laundering Reporting Officer (MLRO), as
well as the Chief Compliance Officer (CCO) position. Similar to the role of the MLRO and CCO, the DPO may either be an employee of the fund manager or a third-party service provider. Another similarity to the practices typically employed for CCOs, under GDPR is that the DPO role must report directly to the highest level of management, must avoid conflict of interest and have appropriate resources to carry out their tasks. With all of this overlap there may be a tendency for a fund manager to simply add another hat to the already top-heavy role of the CCO by simply assigning them the required DPO title as well. Is this merely providing GDPR the minimum required lip service or will such dual appointments actually address the law’s requirements?
GDPR Operational due diligence considerations
If you haven’t already asked about GDPR during operational due diligence (ODD) – you should start!
In preparing for GDPR, both hedge fund and private equity fund managers must likely integrate their preparatory GDPR work with various departments including compliance, information technology, risk management, and senior management. The ways in which a fund manager has begun to make these preparations will likely be a useful source of information to signal if the manager is both aware of the intricacies of GDPR as well as if they have begun to make the appropriate preparations.
- Service provider based GDPR solutions
Similar to the initial implementation of Form PF in the US, there have been a number of information technology vendors and other fund third-party service providers including law-firms have begun to offer GDPR consulting services to hedge funds and private equity funds. The wide variety of services range from technology based data solutions to more traditional compliance and law based consulting. The GDPR related services offered by these firms may overlap with services a hedge fund or private equity manager is currently utilizing from an existing provider. Sorting all this out so as not to provide for a duplication of efforts, either internally at the fund or among multiple service providers, should be part of a fund’s pre-GDPR implementation game plan.
Hedge funds and private equity managers are increasingly utilizing cloud based solutions in part for their ease of accessibility, enhanced security and cost efficiency. A consideration for fund managers under GDPR would be if data is stored by a manager on their own cloud or more likely using third-party based cloud solutions. Additionally, a fund’s serviceprovider, such as an administrator or information technology vendor, may store fund related data on the cloud. Alternatively, a vendor engaged by a fund to assist with GDPR but as part of this process may also store fund data on the cloud. This use of the cloud could expose not only the third-party vendor to risk, but also the fund itself to enhanced data security and oversight obligations under GDPR.
- UK Brexit considerations
There are also considerations for UK based fund managers facing uncertainty surrounding whether or not the UK will retain GDPR in a post-Brexit environment. While the situation is uncertain, in part based on a history of similar previous UK legislation, such as the UK Data Protection Act of 1998, the UK government has suggested that they any legislation they implement will largely follow GDPR.
- EU Privacy Considerations as Funds Expand Technology Based Research
Fund managers, especially hedge funds in particular, have become increasingly creative in their attempts to collect and mine what some call, “alternative data, ”for investmentresearch purposes. Examples of these new types of data collection techniques that have replaced or augmented the traditional store channel checks, have included the use of drones and satellite imagery to monitor retail establishment parking lots, analyzing credit card transaction data, and the monitoring of cell phone signals for geodata to track the volume of visits to locations including hospitals and stores.
This data is often utilized as part of a larger predictive analytical analysis and may also be combined with big data analysis techniques. These new technology based data collection techniques have raised a number of potentially concerning grey areas with regards to the privacy implications surrounding this data including potential implications for violations of insider trading laws.
Under GDPR fund managers will have to ensure that the ways in which they collect and store this information complies with GDPR requirements. Many fund managers may not be collecting this data themselves but instead purchasing it. If that is the case, there are considerations under GDPR relating to the ways in which this data must be made anonymous in a GDPR compliant manner. Understanding the ways a fund manager has designed a strategy to navigate these types of complex data privacy issues, should be asked about during ODD.
- Other Key GDPR ODD Questions –
When approaching a fund manager about GDPR during ODD, the first question that should likely be asked is if they believe that GDPR will be applicable to them. If not, have they confirmed this with external counsel? When evaluating a fund’s answer in this regard it should also be noted that GDPR applies not only to EU based fund managers, but also to those that offer funds to EU investors. For example, a US based fund manager marketing its funds in the EU would likely be subject to elements of GDPR.
If GDPR is indeed applicable to a fund, key questions that should be incorporated to the ODD process to address GDPR would include:
- What steps have you taken to prepare for GDPR implementation?
- Have you worked with any third-party vendor such as compliance consultants or external legal counsel to evaluate you level of GDPR preparedness?
- How has the information technology department been involved in preparing for GDPR implementation?
- Is there a plan for GDPR considerations to be integrated into ongoing compliance, technology and internal audit testing?
- How will GDPR influence your cybersecurity plan including ongoing data breach testing?
- Who will be your DPO? Have you considered the pros and cons of outsourcing this role?
Also, from an ODD perspective it is worth inquiring to see if the fund manager intends to pass through any of the compliance expenses surrounding GDPR implementation directly to any underlying funds. Such direct pass-throughs will likely be frowned upon by investors, but still the increased costs of GDPR compliance may be passed through as a result of increased overall fund expenses for items such as shared servers or software to assist with compliance, which a fund’s investors may end up paying part of.
Where do we go from here?
GDPR is one in a variety of new regulations that will be affect fund managers in 2018. Others include the Markets in Financial Instruments Directive II (MiFID II / MiFIR) and the Packaged Retail and Insurance-based Investment Products (PRIIPs). Taking upfront measures now to evaluate how funds have prepared for these new challenges during the ODD process, before these regulations become effective, will likely offer valuable insights into the overall strength of a fund manager’s compliance program and the level to which they are informed of continued regulatory and legislative developments that can directly impact their bottom line profitability.
While asking a manager how they plan to approach GDPR is certainly a good first step, do you feel you are equipped to appropriately assess their responses? For example, are you up to speed on how are a fund manager’s peers on either side of the Atlantic approaching the situation? Have you surveyed the marketplace to understand if certain fund consultants and technology based solutions shown better aptitude in this area than others? Is your fund working with one of those consultants or systems? Do they plan to? Do you have an understanding as to overall best practices in this area? What about having a dialogue with regulatory agencies as to what their perspectives on the key enforcement areas they may tackle after GDPR takes effect?
These types of questions illustrate the added value a specialist ODD consultant such as Corgentum may be able to bring to the overall ODD process. Why not contact us today to learn how we can assist in evaluating if a fund under ODD consideration is appropriately prepared for GDPR? You might be surprised what you learn if you ask the right questions.