AIMA

The Alternative Investment Management Association

Alternative Investment Management Association Representing the global hedge fund industry

Proposed EU Data Protection Regulation - potential issues for asset managers

Lawrence Brown, Managing Associate

Simmons & Simmons

Q2 2012

Q2 edition

 


Introduction

On 25 January 2012, the European Commission published a proposed new EU Data Protection Regulation (the “Regulation”), which sets out the rules that organisations would have to comply with in relation to their processing of personal data if the Regulation were to be implemented in present form. The Regulation includes a wide-ranging set of new requirements – relating to areas ranging from territorial scope to the notification requirements that apply if a data breach occurs – that would substantially change the data protection obligations applicable to asset managers and businesses operating in other sectors. We consider a number of these requirements in detail below. These requirements are particularly important as the proposed new fines for non-compliance, which represent a step-change in the enforcement measures that are available to data protection authorities, are severe.

The Regulation also includes some potential benefits for asset managers, which we consider further below.

The Regulation is not yet in approved form. It is currently being considered by the EU Member States and the European Parliament. Consultations are taking place in EU Member States. The process of approving a new item of EU legislation commonly lasts 12 months or more, depending on the number of readings and level of amendments required. As currently drafted, the Regulation will take effect two years after it is finalised. However, asset managers would be well-advised to consider the potential impact of the Regulation now and join in the debate on issues that affect them.

The purpose of this article is to highlight a number of headline issues and benefits that would arise out of the Regulation (if implemented in current form) to asset managers, with a view to this supporting their compliance planning processes and to helping them to join an informed debate in relation to the Regulation.

 

What is the current UK data protection law?

The main item of data protection legislation in the UK, the Data Protection Act 1998 (DPA) (that implements the EU Data Protection Directive (Directive 95/46/EC) (the “DP Directive”)), is now generally well understood by in-house counsel and compliance teams at asset managers, including as regards key points such as the rights of individuals, data security and overseas transfers of data.

 

What are the main new or amended requirements that the Regulation would impose, if implemented in present form?

Sanctions

Potentially the most eye-catching of the changes that the Regulation would impose is the level of fines for breaches, which are modelled on the existing sanctions for breach of competition law. Maximum penalties for intentional or negligent breaches would include fines of up to €1 million or 2% of an enterprise’s annual worldwide turnover. This change would mean that the risks associated with data protection non-compliance continue to increase, following the change in UK law in early 2010 to allow the UK data protection authority, the Information Commissioner’s Office (ICO), to impose monetary fines of up to £500,000 for serious breaches of the DPA.

 

Territorial scope

Whereas under the DPA, only data controllers that are established in the UK or that use equipment in the UK for data processing are subject to the DPA requirements, the proposed Regulation significantly expands the territorial scope of the rules; it applies not only to those organisations that are established in the EU, but also to controllers that are established outside the EU where their processing relates to offering goods and services to individuals in the EU or the monitoring of their behaviour.

Asset managers frequently use offshore entities in their business activities, which could mean that those entities fall within the scope of the proposed new rules under the Regulation.

 

Data breach notification

Under the DPA, there is no general data breach notification obligation, although the ICO does recommend notification of data breaches in certain circumstances. In addition, Financial Services Authority (and other regulatory authority) rules may require notification under certain circumstances. Under the Regulation, controllers would be required, where feasible, to notify the relevant data protection authority within 24 hours of becoming aware of a data breach, regardless of the potential impact of the breach or whether measures are in place to reduce its potential impact. Controllers would also be required to notify data subjects (after notifying the authority) “without undue delay” of any breach which is likely to “adversely affect” the protection of the data subjects’ personal data or privacy, unless “appropriate technological protection measures” are in place and are being applied.

Based on our experience of data breach scenarios, the 24 hour timeline referred to above would be very challenging. In the immediate aftermath of a data breach, the controller usually carries out an initial process of assessing what the breach involves and how any individuals may be affected. The timeline proposed realistically does not allow for this. Moreover, it raises the prospect of data protection authorities being deluged with incomplete (and therefore unhelpful) notifications.

 

Documenting processing

The Regulation would impose new requirements relating to the analysis and documenting of data processing activities. Controllers and processors would have to keep records of their data processing activities, individuals concerned and recipients of data. In addition, they would have to carry out impact assessments relating to processing to which an increased level of risk applies. Whilst we anticipate that some asset managers may have documented their data processing activities to a degree, the new requirements will require them to carry out a significant level of further analysis in relation to this area.

 

Data protection officer

Under the Regulation, all enterprises that have more than 250 people in permanent employment would be required to designate a data protection officer who has responsibility for compliance and monitoring of data security and provides a point of contact for the exercise of data subjects’ rights.

In addition to the points above, the Regulation includes a number of other significant measures that pose a challenge for asset managers, including new requirements that apply to data processors (those processing information on behalf of a controller), new requirements to allow individuals “the right to be forgotten” and to “data portability”.

 

What are the main benefits associated with the Regulation?

As the proposed new legislation is a Regulation (rather than a Directive, as is the case with the DP Directive, which is implemented separately in each EU Member State), it will have direct effect in all EU Member States. This would mean a greater level of consistency enabling enterprises operating across the EU to comply with one law, rather than various local laws implementing the DP Directive.

There is also a “one-stop shop” approach to supervision, which would involve a single data protection authority being empowered to make decisions regarding the activities of a pan-European organisation. In theory, this would result in a reduced administrative burden for pan-European organisations. However, some data protection authorities have already queried how a data protection authority would be chosen and have highlighted the possibility of organisations deliberately structuring their operations in such a way as to be subject to “lighter touch” regulation.

The Regulation would also remove the general requirement on organisations to maintain a notification of their data processing activities with their national data protection authority. EU Commissioner Viviane Reding envisages that the removal of this requirement will save organisations €130 million per annum. However, in the light of the level of new requirements (including the introduction of requirements to monitor and document personal data processing risks more generally), it is debateable whether there will be any net saving for organisations.

 

Next steps

At this stage, we recommend that asset managers should familiarise themselves with the Regulation and start working out what challenges and opportunities it presents to their businesses. The requirements in the Regulation may move on; until it is in approved form, it remains a case of “watch this space”.

 

lawrence.brown@simmons-simmons.com

www.simmons-simmons.com

 


 

Back to Listing

Main Menu

  1. Home
  2. About
    1. Our Core Objectives
    2. AIMA's Policy Principles
    3. Meet the team
    4. AIMA Council
    5. Global Network
    6. Sponsoring Members
    7. Global Partners
    8. FAQs
    9. Opportunities at AIMA
  3. Join AIMA
    1. Benefits of Membership
    2. Membership Fees
    3. Application form
  4. Members
    1. AIMA DDQs
    2. AIMA Annual Reports
    3. AIMA Governance
    4. AIMA Logo
      1. Policy note
    5. AIMA Members' List
    6. AIMA Review of the Year
    7. Committees and Working Groups
    8. Weekly News
    9. Update Profile
  5. Investors
    1. AIMA Investor Services
    2. AIMA Members' List
    3. Investor Steering Committee
    4. Update Profile
  6. Regulation
    1. Asset Management Regulation
      1. EU Asset Management Regulation
        1. AIFMD
        2. European Capital Markets Regulation
        3. MiFID / MiFIR
        4. UCITS
        5. European Venture Capital Directive
        6. Shareholder Rights Directive
        7. European Long Term Investment Fund Regulation
        8. Loan Origination Funds
        9. Capital Raising
        10. AIFMD-Related Events
      2. US Hedge Fund Adviser Regulations
        1. Registration and Reporting
        2. Incentive-Based Compensation
        3. JOBS Act
      3. Asia Pacific Asset Management regulation
      4. Other Jurisdictions’ Asset Management Regulation
      5. Systemically Important Financial Institutions ('SIFIs')
      6. Remuneration
        1. UK
        2. United States
        3. CRD IV and CRR
        4. AIFMD
        5. MiFID
      7. Shadow Banking
      8. Volcker Rule
      9. Other
      10. Systemic Risk Reporting
      11. Dealing Commission
      12. Corporate Governance
      13. Securitisation
    2. Markets Regulation
      1. Bank/Capital Regulation
        1. Capital Requirements Directive
        2. EU Bank Structural Reforms
      2. Derivatives/Clearing
        1. EMIR
        2. MiFID II / MiFIR - Derivatives
        3. MAD / MAR
        4. Dodd-Frank Act Title VII
        5. Hong Kong
        6. IOSCO
        7. Singapore
      3. High Frequency Trading
        1. ESMA Guidelines
        2. MiFID II / MiFIR - HFT
        3. MAD / MAR
        4. Flash Crash
        5. IOSCO
        6. Germany
        7. CFTC Automated Trading
      4. Insurance Regulation
        1. Solvency II
      5. Market Abuse
        1. MAD / MAR
        2. Indices as Benchmarks
      6. Position Limits
        1. MiFID II - Commodities
        2. CFTC Position Limits
      7. Resolution of Financial Institutions
        1. Europe
          1. EU Bank Recovery and Resolution Directive
          2. EU Non-Bank Recovery and Resolution
        2. CPSS-IOSCO
        3. Financial Stability Board
        4. UK
        5. USA
      8. Shadow Banking
        1. International Shadow Banking
        2. EU Shadow Banking
      9. Short Selling
        1. EU Short Selling Regulation
        2. Hong Kong Short Selling Regulation
        3. US Short Selling Regulation
        4. Short Selling Bans
        5. Securities Settlement
      10. Trading
        1. Dodd-Frank Act
        2. MiFID Portal
    3. Tax Affairs
      1. Automatic Exchange of Information (AEOI)
        1. FATCA
        2. EU - AEFI
        3. OECD - Global Standard on AEFI
      2. Australia - Investment Manager Regime (IMR)
      3. Base Erosion - Profit Shifting (BEPS)
      4. FAIFs and FINROFs
      5. FIN 48 and IAS 12
      6. Financial Transaction Tax (FTT)
      7. UK Investment Management Exemption (IME)
      8. UK Offshore Funds Regime
      9. Other
    4. AIMA's Policy Principles
    5. Search
    6. Resources
      1. Guidance Notes
      2. Jurisdictional Guides
      3. Noticeboard
        1. AEOI: FATCA and other regimes
        2. AIFMD
        3. BEPS
        4. CFTC Registration and Exemptions
        5. Corporate Governance
        6. Dealing Commission
        7. Derivatives
        8. FTT
        9. High Frequency Trading
        10. MiFID / MiFIR
        11. Other Hot Asset Management Topics
        12. Other Hot Markets Topics
        13. Other Hot Tax Topics
        14. Position Limits
        15. Trading
        16. UCITS
        17. UK Partnership Tax Review
        18. US State and Local Taxes
        19. Volcker Rule
      4. Hedge Fund Manager Training
      5. Quarterly Regulatory Update
      6. Webinar Programme
      7. Regulatory Compliance Association
        1. About the Regulatory Compliance Association
        2. RCA Curricula and initiatives for alternative investment firms
        3. Meet the regulators and Sr. Fellows
  7. Education
    1. Research
      1. AIMA Research
      2. Industry research
      3. Search research documents
    2. "The Case for Hedge Funds"
      1. Global Hedge Fund Industry Paper: The value of our industry
      2. The Value of the Hedge Fund Industry to Investors, Markets and the Broader Economy: Research commissioned by AIMA and KPMG
      3. The Evolution of an Industry: KPMG/AIMA Global Hedge Fund Survey
      4. Contributing to Communities: A global review of charitable and philanthropic activities by the hedge fund industry
      5. Beyond 60-40: The evolving role of hedge funds in institutional investor portfolios
      6. The Cost of Compliance: Global hedge fund survey by AIMA, MFA and KPMG
      7. Capital Markets and Economic Growth: Long-term trends and policy challenges
      8. Apples and Apples: How to better understand hedge fund performance
      9. The Extra Mile: Partnerships between hedge funds and investors
      10. Key articles by AIMA on the case for hedge funds
    3. AIMA Journal
      1. Recent issues
      2. Search AIMA Journal articles
      3. AIMA Journal Archive
    4. AIMA Guides to Sound Practices
    5. AIMA guides for institutional investors
    6. CAIA Association pages
      1. Fundamentals of Alternative Investments
    7. Regulatory Compliance Association pages
      1. About the Regulatory Compliance Association
      2. RCA Curricula and initiatives for alternative investment firms
      3. Meet the regulators and Sr. Fellows
    8. Certified Investment Fund Director programme
    9. Services to Start-up Managers
    10. Useful Websites
    11. Glossary
  8. Events
    1. AIMA Events
    2. AIMA webinars
    3. Industry events
  9. Media
    1. Press Releases & Statements
    2. AIMA's blog
    3. Media Coverage
      1. Articles by AIMA
        1. Archive
      2. AIMA in the news
      3. Video interviews
      4. Industry news
    4. Media Contact
    5. Press Materials

Sub Menu

  1. Education
    1. AIMA Journal
    2. Bibliography
    3. CAIA Designation
    4. Research
    5. Roadmap to Hedge Funds
    6. AIMA's Investor Steering Committee Paper
    7. Glossary
  2. Regulatory, Tax, Policy & Government Affairs
    1. AIMA Position Papers
    2. AIMA Responses
      1. Australian Tax Office
      2. Authority for the Financial Markets
      3. Committee of European Banking Supervisors
      4. Committee of European Securities Regulators
      5. Commodity Futures Trading Commission
      6. Dubai Financial Services Authority
      7. European Commission
      8. European Securities and Markets Authority
      9. Swiss Financial Market Supervisory Authority
      10. Financial Services Authority (UK)
      11. Financial Services and the Treasury Bureau
      12. Guernsey Financial Services Commission
      13. HM Revenue & Customs
      14. HM Treasury
      15. Independent Commission on Banking
      16. IOSCO
      17. Monetary Authority of Singapore
      18. Securities and Exchange Board of India
      19. Securities and Exchange Commission (USA)
      20. Securities and Futures Commission
      21. Singapore Exchange
      22. The Takeover Panel
      23. US House of Representatives / Senate
      24. Federal Deposit Insurance Corporation
      25. Financial Stability Oversight Council
      26. Financial Stability Board
      27. US Treasury
      28. Internal Revenue Service
      29. US Federal Reserve
      30. Financial Industry Regulatory Authority (FINRA)
      31. Council of European Union
      32. Hong Kong Exchanges and Clearing
      33. House of Lords
    3. AIMA Summaries
      1. CESR
      2. European Commission
      3. Financial Services Authority (UK)
      4. HM Revenue & Customs
      5. HM Treasury
      6. IOSCO
      7. Securities and Exchanges Commission
      8. FSOC
      9. CFTC
    4. Guidance Notes
    5. Jurisdictional Resource
    6. AIMA Noticeboard
      1. EU Directive on Alternative Investment Fund Managers
      2. FSA Remuneration Code
      3. Short Selling
      4. US Dodd-Frank Wall Street Reform and Consumer Protection Act
      5. UK Stewardship Code
      6. Securities Law Directive
      7. EU Directive on Alternative Investment Fund Managers - Level II
      8. EU Directive on Markets in Financial Instruments (MiFID)
      9. International Financial Centres
      10. Bribery Act
      11. Market Abuse Directive
      12. MF Global
      13. FATCA
      14. FTT
      15. Other Tax Issues
    7. AIMA Regulatory Update
  3. Sound Practices
    1. Due Diligence Questionnaires
    2. Guides to Sound Practices
  4. Start-Up Service Providers
  5. Useful Websites