GDPR – the challenges for an asset manager
By Michelle Bedwin, Compliance, BTG Pactual
Published: 23 April 2018
On 25th May 2018 the EU General Data Protection Regulation (GDPR) will come into effect and with only two months to go, Asset Managers should now be concluding their GDPR projects. The GDPR covers all EU member states and will apply to all companies including FCA Approved Firms holding or processing the data of individuals. Most Asset Managers are already subject to the Data Protection Act (1998) so should already have robust controls in place. It is important for Asset Managers to review their controls with the maximum fine for a breach of GDPR being equivalent to 4% of global revenue for the organisation as well as consider any additional implications of the new requirements.
The intention of GDPR is to protect the rights of EU citizens in respect of their data and companies systematically holding or processing the data of individuals such as mobile phone companies have been preparing for this new EU Regulation for years. Although alternative asset managers are obviously not dealing with data in the same manner and generally have very few ‘individual clients’, all Managers should have identified the data that they are holding and processing, in line with suggestions contained within the ‘AIMA GDPR Implementation Guide’ published in January 2018.
The GDPR project should have been fairly straightforward for most Managers but there are several important questions that all Managers should ask themselves before signing off on their implementation projects.
Many AIMA members will have very few individual investors and by the time you have worked out whether the Manager or the Fund Administrator are ‘data controllers’ or ‘data processors’ or both, these individuals may have been forgotten about. You should have already discussed GDPR with the Fund Administrator(s) before any administration agreement is changed and considered the controls in respect of keeping investor data secure and what would be the process if there happened to be a data breach in respect of an investor. The new administration agreement may be finalised, but firms should think about what will happen if there is a data breach in early June? Will the Administrator contact you and will you notify the respective Regulators in both jurisdictions if the Administrator is based in the EU? Who at your Firm should the Administrator contact? Do you have a Data Protection Officer (see below) or will the Administrator just contact their main operational contact? Will their main operational contact know what to do if there is a breach?
This subject may not be high on the agenda for asset managers considering the client base of most AIMA members. However, GDPR protects the data rights of individuals irrespective of if they are ultra-high net worth or have opted up to be a professional client. You should not just think about your current client base for your GDPR project, but think about any individuals who may be in your CRM database and how you can allow any individuals to ‘opt into’ marketing going forward as per the GDPR requirements.
All EU asset managers, and many non-EU asset managers, will be in scope of GDPR and as part of your projects, you will have already considered the sensitive personal data such as sickness records held about staff by your HR department. However, you also need to consider other records held about your staff as other departments may hold data about your staff. Your Compliance team will hold PA dealing account records for your staff and your BCP Coordinator will hold personal telephone numbers. Also, do any external providers hold data about staff? A firm’s ARM will hold passport numbers for MiFID 2 reporting and even MTFs have been requesting such passport numbers for Traders. Don’t forget about prospective staff too - it is prohibited under GPPR to retain a CV in case a role turns up in the future for a promising candidate unless that individual has provided his or consent for the CV to be held.
Data Protection Officers
Asset Managers have a Data Protection Officer currently and there may be discussions as to who will be the Data Protection Officer post GDPR but do you actually need a Data Protection Officer? Under GDPR, only companies which regularly and systematically monitor data subjects on a large scale or process on a large scale special categories of data. Only a tiny number of AIMA members will fall into this category so ask yourself why you are opting into further requirements of GDPR unnecessarily before you appoint a Data Protection Officer. Even if you don’t have a Data Protection Officer, you need a Data Protection Coordinator who should understand the requirements and act as the Manager contact point for all data related questions.
Data Subject Access Requests
Data Subject Access Request can be an administrative burden and expensive. GDPR provides more rights to the individual about accessing their data and when the first big fines are issued, individuals will become more aware of their rights. Have a think about what you would do if a disgruntled ex-employee makes a request and how easy it would be compile. If the thought fills you with horror, then you should probably as a Manager work through a mock request and see how you do.
You may be pleased that the end of yet another regulatory project is in sight, but don’t forget about future compliance. Is GDPR covered in your product governance processes and will you even know if an IT function changes a server? Staff should be trained on their obligations but they cannot just be trained once and all staff will need to know exactly what to do if there is a breach rather than it simply being covered in a policy.
GDPR needs to be part of your compliance monitoring programme and you should prepare for a visit by the Information Commissioner Officer just like you would do with any other Regulator making sure policies are kept up to date and staff remained trained. Remember GDPR is going to be with us for a long time even with BREXIT!