June 2019 marked the one-year anniversary of GDPR coming into force (25th May 2018). Its impact on firms globally and the way they must handle personal data in the European Economic Area (EEA) has been discussed at length. As readers are probably aware, this new regulation affects all types of businesses across all industries that request, control, analyse or otherwise process the personal data of individuals in the EU. The regulation seeks to ensure individuals’ rights and freedoms are protected. Following the one-year anniversary since the implementation of the GDPR, it is time to reflect on its impact on the finance industry, and in particular on the buy side.
Funds as ‘Data Controllers’
One of the main aspects of the GDPR that seems to have been missed is its impact on fund vehicles (Fund). The industry understood the application to the fund manager (Manager) but seemingly was less interested on its impact on any Fund. Whilst working with our clients on the implementation of the GDPR, we discovered that Managers often took the recommended proactive approach to their GDPR compliance by introducing and adopting relevant policies. Often the same persons did not, however, apply the same for their Fund(s), leaving such Fund(s) and worse their investors, exposed to the risk of the consequences of non-compliance. What adds to this risk is that service providers, notably administrators, often define the Fund as the data controller of the data that they process on the Funds’ behalf. Consequently, Funds have ended up bearing the ultimate liability for any potential non-compliance without accurate provisions to mitigate such risk.
This means the that Funds can be held liable for any breach with regards to the protection of personal data of investors in the EEA, irrespective of where the Funds are domiciled. The only way to avoid potential consequences are for the Funds, just like the Managers and other service providers, to have policies and procedures in place to help mitigate circumstances that would lead to non-compliance. Of course we all know that non-compliance could in turn cost the Funds not only financial fines (4% of annual global turnover or €20 million, whichever is greater) but also their reputation and the reputation of their service providers. This could be a disaster especially for liquid Funds where ensuing redemptions could ‘kill’ the product.
The Unintended Consequences of GDPR
With the GDPR hitting its one-year anniversary, many publications are now looking back on the aims of the GPDR and whether these have been achieved as we reach the end of the transition period. To many it appears that GDPR, in some respects, has had the opposite effect to what was intended. For example, it has reportedly become harder to track cyber criminals due to restrictions on processing web domain registration details such as names and addresses. As stated by the Forbes Technology Council [in the article above] ‘this outcome was never foreseen since the regulation focused on protecting the customer data without explaining how malicious user and activities would be addressed.’* Another unintended consequence is the idea of ‘opt-in fatigue’ which refers to individuals being so tired or being asked to consent to policies that they just click close on the message box without reading how the data will be used. This causes them to unknowingly loose the privacy rights that the GDPR was brought in to protect.
Despite these negative impacts, there are benefits and many Firms have properly reviewed the way they store personal data. The ICO has reported a “massive increase” in reports of data breaches since GDPR’s implementation which clearly brought the public’s attention to the fact that they needed to be more vigilant about where and how their data was stored and what incorrect procedures could be challenged. It remains to be seen how many of these breaches will be followed up by fines but the pressure remains to get things right.
From recent critiques, the EU may be expected to adjust the regulations and correct some of these early issues, although no material changes are expected as yet.
The California Consumer Privacy Act
Looking outside of the EEA, California is following in the EU’s footsteps with the California Consumer Privacy Act which is set to come into force on 1st January 2020. This Act draws parallels with the GDPR such as giving individuals the right to request to see the personal data that a business holds on them as well as the right to erasure. More countries are introducing similar concepts in their legal systems e.g. Brazil also due for 2020. Perhaps this is will be the catalyst which will see data protection policies and procedures being implemented and regulated more stringently globally as it becomes a legally recognised norm.
When it comes to global compliance therefore Firms have a choice: either to reform their data protection infrastructure in an effort to comply with the GDPR or for example the California Consumer Privacy Act or to segregate the way they handle the data of EU or Californian residents from the rest of the world… To segregate how data is held depending on which country the data pertains to would be more expensive and less efficient. Therefore, synergies in the various global trends need to be sought, and policies and procedures should be updated regularly to follow the strictest requirements of the global privacy laws which is especially relevant to multi-jurisdictional firms managing personal data for a global client base. This may be onerous but safer and will highlight to investors evidence of best practise and the Firms’ awareness of the changing business environment. This will be good for any due diligence, reflecting proper compliance and ethics.
For now therefore there is still room for improvement, however it is likely many Firms will not be pressed into doing any more until there is a credible threat of enforcement, that can reach beyond the frontiers of the EU.
Get in touch
If you have any questions or queries regarding this topic or wish to learn more about how Laven can assist you in becoming GDPR compliant, notably using our Eurorep service or our compliance software please email Hannah Langdon [email protected] / [email protected]