GDPR compliance for funds

Is your fund ready? Key date for compliance: 25 May 2018.

As this short update explains, funds and their directors should be aware of the need to send privacy notices to individual data subjects including investors where applicable and to ensure their fund service providers (such as administrators) have sufficient safeguards and processes in place for the proper governance and protection of relevant data. We can help.

Background

The EU General Data Protection Regulation (GDPR) via its extra-territorial effect, as well as (in Jersey) the Data Protection (Jersey) Law 2018 and (in Guernsey), the Data Protection (Bailiwick of Guernsey) Law, 2017 is creating a number of additional obligations in respect of investment funds based in the Channel Islands, with an effective date of 25 May 2018.

As part of subscription arrangements by investors in funds, significant amounts of personal data are typically provided to funds by investors. For the purposes of data protection legislation, the fund vehicle itself (or, depending on structure, its GP or trustee) as well as in many cases the investment manager will tend to be construed as ‘data controllers’. Additionally, either the fund or the investment manager will appoint an administrator and a range of other service providers which depending on their role and activities will generally be considered to be ‘data processors’. Data controllers and data processors have direct liability for their activities regarding personal data and are required to be registered accordingly. In addition, each fund which has appointed these service providers will need to maintain appropriate oversight.

In most cases the existing contractual terms of the investment into the fund (usually set out in the information memorandum and subscription documents) will not currently include the specificity required under GDPR in relation to investor consent (if relied upon) and information rights, and will not be fully compliant with the new regime. We are currently advising on a range of GDPR structures and solutions, and are able to provide documentation, including forms of privacy notice, which will assist funds to comply with the new data protection legislation.

In relation to the fund itself, the relevant board of directors will also need to be comfortable that, at each level where data is controlled, processed, stored etc, there are sufficient safeguards and processes in place for the proper governance and protection of the personal data of investors. We are able to support with data mapping exercises and policies, including in situations where international transfers of data may take place. We are also able to advise on the amendments that might need to be made to service provider contracts, such as administration agreements.

The board members of fund companies, of general partners of fund partnerships and of trustees and managers of fund unit trusts should be aware of these requirements, particularly in the context of any broader regulatory or contractual obligations they might have to comply with all relevant areas of law and regulation.

Should you require our assistance with the preparation of privacy notices, data mapping and service agreement amendments, please get in touch with your usual contact.

Our team of GDPR specialists can:

• provide GDPR legal advice.
• assist in the review of current policies and procedures to help identify gaps or areas where common problems may arise and where work is likely to be needed as a result of the GDPR.
• provide tailored in-house training specific to the aspects of the GDPR that are most relevant to your business.
• review and draft relevant contracts and policy documents.
• review and draft privacy notices.