|WHAT IS GDPR?
The General Data Protection Regulation (GDPR) is designed to achieve consistency in data protection laws across the European Union (EU) and it will become applicable in all EU member states from the 25th May 2018. GDPR will mark a shift in data protection in the EU which currently relies on national legislation for each EU member state.
In advance of 25th May, firms will be busy preparing for GDPR by analysing gaps in their current data protection provisions and implementing any necessary changes to ensure that they can comply with the new regulations.
WHO DOES GDPR AFFECT?
GDPR applies to both data controllers and data processors established in the EU. GDPR directly impacts businesses and organisations which operate in the EU but it also has an extra territorial impact. For example, organisations based outside of the EU, but which control or process personal data relating to EU citizens are also likely to be in scope for GDPR.
GDPR will therefore impact most funds and fund managers globally. Not only will it have direct effect on funds, fund managers and fund service providers that are EU based but it is also likely to impact most non-EU funds, fund managers and fund service providers, directly or indirectly. The extent of the impact will depend on business activities, contractual relationships, investor/client profiles and also where personal data is stored and processed .
WHY IS GDPR IMPORTANT?
For funds, fund managers and fund service providers that operate in the EU, the implementation of GDPR marks the most important change in data privacy legislation and regulation for two decades. This is for several reasons:
- If GDPR applies to your firm, you must comply. There is no opt out clause and non-compliance will lead to hefty fines.
- It involves every aspect of data collection in organisations that collect or process personal data on people. It impacts on the manner in which all personal data is obtained, classified, retained and destroyed.
- Firms will be required to have total visibility of their data storage: who is storing data and how data is processed.
- Firms will have to demonstrate greater transparency on how their data is collected and processed and will have to adhere to notification requirements if personal data is breached.
- Data subjects, be they customers, users or employees, can make demands about the information that is held about them. They will also have the right to make a claim if their data is not protected in compliance with the GDPR. These requests can be made at no cost to the data subject.
STEPS TO ENSURE YOU ARE GDPR READY
Centaur offers guidance in the context of the funds’ industry:
- Each party must consider and document the legal basis for collecting, controlling and/or processing any personal data (for example consent, performance of a contract, legal obligation).
- The roles and responsibilities of controllers and processors must be clearly defined and documented in fund documents and fund service agreements (for example, who is the data controller and processor in respect of specific data).
- Roles and responsibilities can vary across different business relationships and contractual arrangements. In some cases, an organisation can be a data controller as well as a data processor, depending on the context of the business relationship and the nature and purpose of the personal data which the organisation collects and/or processes.
- The rights of data subjects will need to be understood and clearly disclosed in fund documents (for example, the right of access to data, the right to be forgotten, data portability rights and the right to withdraw consent).
- The manner in which personal data is obtained, classified, retained and destroyed will need to be reviewed to ensure compliance with the GDPR whilst continuing to comply with all other applicable regulatory retention requirements (for example, retention and deletion programs, data classification, data access and security provisions).
- Effective governance arrangements will need to be in place to facilitate ongoing compliance monitoring by all parties and in particular, to ensure that all notifications and reporting requirements are met (for example breach notifications to the relevant data protection authority, to the data subject, data protection audits, data protection impact assessments and disclosures).
CENTAUR AND GDPR COMPLIANCE
Centaur’s internal GDPR working group is busy preparing for GDPR along with its technology partners. Tracy Tookey, Head of Risk and Compliance at Centaur, explains:
“Centaur is actively engaged with the Irish Funds’ GDPR Working Group, which is considering the wider impact of the GDPR on the funds’ sector in Ireland. We are aware that many of the required notices and disclosures will need to be addressed in the fund documents, namely the prospectus and subscription agreements and we are currently working with a number of clients and their lawyers as regards the updates they wish to make to their documents, contributing as necessary. We expect this to continue through 2018 as more clients seek to update their documents to cater for GDPR.”
Tracy continues, “We are also reviewing the terms of our service agreements with clients in light of GDPR and we expect to consult with clients on any required updates to their agreements during Q1 and Q2 2018. We all must be GDPR ready by the May ’18 deadline and Centaur is on hand to work in partnership with clients to achieve this mutual objective.”
For more information, contact Tracy.Tookey@centaurfs.com
GDPREU.org: ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;