The Alternative Investment Management Association

Alternative Investment Management Association Representing the global hedge fund industry

You are:

Proposed EU Data Protection Regulation - potential issues for asset managers

Lawrence Brown, Managing Associate

Simmons & Simmons

Q2 2012

Q2 edition



On 25 January 2012, the European Commission published a proposed new EU Data Protection Regulation (the “Regulation”), which sets out the rules that organisations would have to comply with in relation to their processing of personal data if the Regulation were to be implemented in present form. The Regulation includes a wide-ranging set of new requirements – relating to areas ranging from territorial scope to the notification requirements that apply if a data breach occurs – that would substantially change the data protection obligations applicable to asset managers and businesses operating in other sectors. We consider a number of these requirements in detail below. These requirements are particularly important as the proposed new fines for non-compliance, which represent a step-change in the enforcement measures that are available to data protection authorities, are severe.

The Regulation also includes some potential benefits for asset managers, which we consider further below.

The Regulation is not yet in approved form. It is currently being considered by the EU Member States and the European Parliament. Consultations are taking place in EU Member States. The process of approving a new item of EU legislation commonly lasts 12 months or more, depending on the number of readings and level of amendments required. As currently drafted, the Regulation will take effect two years after it is finalised. However, asset managers would be well-advised to consider the potential impact of the Regulation now and join in the debate on issues that affect them.

The purpose of this article is to highlight a number of headline issues and benefits that would arise out of the Regulation (if implemented in current form) to asset managers, with a view to this supporting their compliance planning processes and to helping them to join an informed debate in relation to the Regulation.


What is the current UK data protection law?

The main item of data protection legislation in the UK, the Data Protection Act 1998 (DPA) (that implements the EU Data Protection Directive (Directive 95/46/EC) (the “DP Directive”)), is now generally well understood by in-house counsel and compliance teams at asset managers, including as regards key points such as the rights of individuals, data security and overseas transfers of data.


What are the main new or amended requirements that the Regulation would impose, if implemented in present form?


Potentially the most eye-catching of the changes that the Regulation would impose is the level of fines for breaches, which are modelled on the existing sanctions for breach of competition law. Maximum penalties for intentional or negligent breaches would include fines of up to €1 million or 2% of an enterprise’s annual worldwide turnover. This change would mean that the risks associated with data protection non-compliance continue to increase, following the change in UK law in early 2010 to allow the UK data protection authority, the Information Commissioner’s Office (ICO), to impose monetary fines of up to £500,000 for serious breaches of the DPA.


Territorial scope

Whereas under the DPA, only data controllers that are established in the UK or that use equipment in the UK for data processing are subject to the DPA requirements, the proposed Regulation significantly expands the territorial scope of the rules; it applies not only to those organisations that are established in the EU, but also to controllers that are established outside the EU where their processing relates to offering goods and services to individuals in the EU or the monitoring of their behaviour.

Asset managers frequently use offshore entities in their business activities, which could mean that those entities fall within the scope of the proposed new rules under the Regulation.


Data breach notification

Under the DPA, there is no general data breach notification obligation, although the ICO does recommend notification of data breaches in certain circumstances. In addition, Financial Services Authority (and other regulatory authority) rules may require notification under certain circumstances. Under the Regulation, controllers would be required, where feasible, to notify the relevant data protection authority within 24 hours of becoming aware of a data breach, regardless of the potential impact of the breach or whether measures are in place to reduce its potential impact. Controllers would also be required to notify data subjects (after notifying the authority) “without undue delay” of any breach which is likely to “adversely affect” the protection of the data subjects’ personal data or privacy, unless “appropriate technological protection measures” are in place and are being applied.

Based on our experience of data breach scenarios, the 24 hour timeline referred to above would be very challenging. In the immediate aftermath of a data breach, the controller usually carries out an initial process of assessing what the breach involves and how any individuals may be affected. The timeline proposed realistically does not allow for this. Moreover, it raises the prospect of data protection authorities being deluged with incomplete (and therefore unhelpful) notifications.


Documenting processing

The Regulation would impose new requirements relating to the analysis and documenting of data processing activities. Controllers and processors would have to keep records of their data processing activities, individuals concerned and recipients of data. In addition, they would have to carry out impact assessments relating to processing to which an increased level of risk applies. Whilst we anticipate that some asset managers may have documented their data processing activities to a degree, the new requirements will require them to carry out a significant level of further analysis in relation to this area.


Data protection officer

Under the Regulation, all enterprises that have more than 250 people in permanent employment would be required to designate a data protection officer who has responsibility for compliance and monitoring of data security and provides a point of contact for the exercise of data subjects’ rights.

In addition to the points above, the Regulation includes a number of other significant measures that pose a challenge for asset managers, including new requirements that apply to data processors (those processing information on behalf of a controller), new requirements to allow individuals “the right to be forgotten” and to “data portability”.


What are the main benefits associated with the Regulation?

As the proposed new legislation is a Regulation (rather than a Directive, as is the case with the DP Directive, which is implemented separately in each EU Member State), it will have direct effect in all EU Member States. This would mean a greater level of consistency enabling enterprises operating across the EU to comply with one law, rather than various local laws implementing the DP Directive.

There is also a “one-stop shop” approach to supervision, which would involve a single data protection authority being empowered to make decisions regarding the activities of a pan-European organisation. In theory, this would result in a reduced administrative burden for pan-European organisations. However, some data protection authorities have already queried how a data protection authority would be chosen and have highlighted the possibility of organisations deliberately structuring their operations in such a way as to be subject to “lighter touch” regulation.

The Regulation would also remove the general requirement on organisations to maintain a notification of their data processing activities with their national data protection authority. EU Commissioner Viviane Reding envisages that the removal of this requirement will save organisations €130 million per annum. However, in the light of the level of new requirements (including the introduction of requirements to monitor and document personal data processing risks more generally), it is debateable whether there will be any net saving for organisations.


Next steps

At this stage, we recommend that asset managers should familiarise themselves with the Regulation and start working out what challenges and opportunities it presents to their businesses. The requirements in the Regulation may move on; until it is in approved form, it remains a case of “watch this space”.



Back to Listing

Main Menu

  1. Home
  2. About
    1. Our Core Objectives
    2. AIMA's Policy Principles
    3. Meet the team
    4. AIMA Council
    5. Global Network
    6. Sponsoring Partners
    7. Opportunities at AIMA
    8. AIMA’s 25th anniversary in 2015
  3. Join AIMA
    1. Benefits of Membership
    2. Membership Fees
    3. Application form
  4. Members
    1. AIMA Annual Reports
    2. AIMA Governance
    3. AIMA Logo
      1. Policy note
    4. AIMA Members' List
    5. AIMA Review of the Year
    6. Committees and Working Groups
    7. Weekly News
    8. Update Profile
  5. Investors
    1. AIMA Investor Services
    2. AIMA Members' List
    3. Investor Steering Committee
  6. Regulation
    1. Asset Management Regulation
      1. EU Asset Management Regulation
        1. AIFMD
        2. European Capital Markets Regulation
        3. MiFID / MiFIR
        4. UCITS
        5. European Venture Capital Directive
        6. Shareholder Rights Directive
        7. European Long Term Investment Fund Regulation
        8. Loan Origination Funds
        9. Capital Raising
        10. AIFMD-Related Events
      2. US Hedge Fund Adviser Regulations
        1. Registration and Reporting
        2. Incentive-Based Compensation
        3. JOBS Act
      3. Asia Pacific Asset Management regulation
      4. Other Jurisdictions’ Asset Management Regulation
      5. Private Placement Regime
        1. Canada
        2. Dubai
        3. Finland
        4. Germany
        5. Hong Kong
        6. Japan
        7. Saudi Arabia
        8. Sweden
        9. United Arab Emirates
      6. Systemically Important Financial Institutions ('SIFIs')
      7. Remuneration
        1. UK
        2. United States
        3. CRD IV and CRR
        4. AIFMD
        5. MiFID
      8. Shadow Banking
      9. Volcker Rule
      10. Other
      11. Systemic Risk Reporting
      12. Dealing Commission
      13. Corporate Governance
      14. Securitisation
    2. Markets Regulation
      1. Algorithmic and High Frequency Trading
        1. EU Automated Trading
        2. US Automated Trading
      2. Benchmarks
      3. Capital Markets Union
      4. Derivatives/Clearing
        1. BCBS - IOSCO
        2. EMIR
        3. Dodd-Frank Act Title VII
        4. Hong Kong
        5. MiFID II / MiFIR - Derivatives
        6. Singapore
      5. Market Abuse
      6. MiFID II / MiFIR
      7. Position Limits
        1. MiFID II - Commodities
        2. CFTC Position Limits
      8. Recovery and Resolution
        1. EU
        2. CPSS-IOSCO
        3. Financial Stability Board
      9. REMIT
      10. Securities Settlement
      11. SFT reporting & transparency
      12. Short Selling
    3. Tax Affairs
      1. Automatic Exchange of Information (AEOI)
        1. FATCA
        2. EU - AEFI
        3. OECD - Global Standard on AEFI
      2. Australia - Investment Manager Regime (IMR)
      3. Base Erosion - Profit Shifting (BEPS)
      4. FIN 48 and IAS 12
      5. Financial Transaction Tax (FTT)
      6. UK Investment Management Exemption (IME)
      7. UK Offshore Funds Regime
      8. Other
    4. AIMA's Policy Principles
    5. Search
    6. Resources
      1. Guidance Notes
      2. Jurisdictional Guides
      3. Noticeboard
        1. AEOI: FATCA and other regimes
        2. AIFMD
        3. Bank/Capital Regulation (including NSFR)
        4. BEPS
        5. CFTC Registration and Exemptions
        6. Corporate Governance
        7. Dealing Commission
        8. Derivatives
        9. FTT
        10. High Frequency Trading
        11. MiFID / MiFIR
        12. Other Hot Asset Management Topics
        13. Other Hot Markets Topics
        14. Other Hot Tax Topics
        15. Position Limits
        16. Trading
        17. UCITS
        18. UK Partnership Tax Review
        19. US State and Local Taxes
        20. Volcker Rule
      4. Hedge Fund Manager Training
      5. Quarterly Regulatory Update
      6. Webinar Programme
      7. Regulatory Compliance Association
        1. About the Regulatory Compliance Association
        2. RCA Curricula and initiatives for alternative investment firms
        3. Meet the regulators and Sr. Fellows
  7. Education
    1. Research
      1. AIMA Research
      2. Industry research
      3. Search research documents
    2. "The Case for Hedge Funds"
      1. Global Hedge Fund Industry Paper: The value of our industry
      2. The Value of the Hedge Fund Industry to Investors, Markets and the Broader Economy: Research commissioned by AIMA and KPMG
      3. The Evolution of an Industry: KPMG/AIMA Global Hedge Fund Survey
      4. Contributing to Communities: A global review of charitable and philanthropic activities by the hedge fund industry
      5. Beyond 60-40: The evolving role of hedge funds in institutional investor portfolios
      6. The Cost of Compliance: Global hedge fund survey by AIMA, MFA and KPMG
      7. Capital Markets and Economic Growth: Long-term trends and policy challenges
      8. Apples and Apples: How to better understand hedge fund performance
      9. The Extra Mile: Partnerships between hedge funds and investors
      10. Key articles by AIMA on the case for hedge funds
    3. AIMA Journal
      1. Recent issues
      2. Search AIMA Journal articles
      3. AIMA Journal Archive
    4. AIMA Guides to Sound Practices
    5. AIMA guides for institutional investors
    6. CAIA Association pages
      1. Fundamentals of Alternative Investments
    7. Regulatory Compliance Association pages
      1. About the Regulatory Compliance Association
      2. RCA Curricula and initiatives for alternative investment firms
      3. Meet the regulators and Sr. Fellows
    8. Certified Investment Fund Director programme
    9. Services to Start-up Managers
    10. Glossary
    11. Cyber Security Resources
  8. Events
    1. AIMA Events
      1. AIMA Annual Conference
        1. 2015 Conference - Agenda
        2. 2015 Conference - Charity Dinner
        3. 2015 Conference - Videos
      2. AIMA's Global Policy and Regulatory Forum
        1. 2015 Forum - Review
        2. 2015 Forum - Photos
        3. 2015 Forum - Agenda
        4. 2015 Forum - Sponsors and Supporting Organisations
    2. AIMA webinars
    3. Industry events
  9. Media
    1. Press Releases & Statements
    2. AIMA's blog
    3. Media Coverage
      1. Articles by AIMA
        1. Archive
      2. AIMA in the news
      3. Video interviews
      4. Industry news
    4. Media Contacts
    5. Press Materials
    6. Photos of Jack Inglis