BVI data protection: A practical update for funds
01 September 2021
Following the recent enactment of data protection legislation in the British Virgin Islands (BVI), we consider below the practical steps which funds and fund managers should be taking to comply with the new regime.
In our recent Update entitled Data protection regime introduced in the BVI, we discussed the Data Protection Act, 2021 (DPA) which came into force in the BVI on 9 July 2021, establishing a legal framework to ensure the protection of personal data collected and processed by public and private bodies. As businesses established in the BVI, or established overseas but processing data in the BVI, now look to become compliant with the DPA, this Update provides a summary for BVI funds of the key practical steps to take towards compliance.
The DPA applies to data controllers, namely persons who either alone or jointly process personal data, or have control over, or authorise the processing of personal data.1
Personal data includes any information in respect of commercial transactions,2 that relates directly or indirectly to a data subject, who is identified or identifiable from that information, or from that and other information in the possession of a data controller, which:
- • is being processed wholly or partly by automatic means;
- • is recorded with the intention that it should be wholly or partly processed by such means; or
- • is recorded as part of a relevant filing system.
How does the DPA apply to funds?
BVI funds typically require investors to provide personal information relating to that investor (or its directors, members and beneficial owners) to the fund or its service provider(s). That personal data is used to comply with their statutory and regulatory obligations (ie, to populate investor registers and to conduct anti-money laundering due diligence), to communicate with investors, make distributions or other payments and to meet ongoing obligations such as AEOI reporting.
BVI fund managers are also likely to have access to and utilise the personal data of underlying investors of their fund clients and, if so, be a data processor3 under the DPA. Non-BVI fund managers will be data controllers under the DPA if personal data is processed on their behalf in the BVI which, in practice, is relatively unusual though not unheard of. It is more likely that onshore fund managers will be processing personal data on behalf of the BVI fund, or data controller, and so fall within the category of 'data processor' under the DPA (see Updates to service level agreements below).
What does the DPA mean in practice?
The key actions for BVI funds are summarised below.
Privacy notice – adopt or update
As a matter of best practice, data controllers should communicate certain privacy information to individuals. In the funds context, this information is usually disseminated to investors via a privacy notice annexed to the offering or subscription documents.
If your fund already has a privacy notice, it will likely need some updating to comply with the requirements of the DPA. The amendments required to a privacy notice which is GDPR4-compliant can be expected to be minimal.
Updates to offering documents
Most funds will elect to include a brief disclosure in their offering documents relating to the enactment and commencement of the DPA. This is useful in the context of active funds which have existing investors, as that language – together with the privacy notice – seeks (amongst other things) to make those existing investors aware of the updated privacy notice and their role in passing that privacy notice to any third parties whose personal data was provided by them to the fund.
Updates to subscription documents
For new and active funds, additional DPA representations/agreements should be built into the standard subscription documents. Those clauses provide the fund with comfort that each incoming investor has received and read the privacy notice and understands how the fund will process that investor's personal data. These clauses also require an investor which has provided the fund with personal data relating to third parties, to make those third parties aware of the fund's privacy notice. Additional provisions may also be included where, for example, investor consent is sought for specific processing actions by or on behalf of the fund.5
Updates to service level agreements
As a data controller, a fund is responsible for ensuring that the data protection principles set out in the DPA are adhered to by service providers who process data on the fund's behalf, as 'data processors'. The fundamental data processors in the funds context are the administrator and fund manager (to the extent these are required for the relevant BVI fund) who will, depending upon the specific structure, generally use investor personal data to comply with AML obligations, for FATCA/CRS reporting, processing investments, investor communication and reporting and for legitimate record keeping purposes. However, a particular fund structure may be substantially more complex than this, and the fund's contractual relationship with all service providers or potential data processors should be assessed and updated as required.
Funds should amend or supplement their service agreements to ensure that a third party service provider or data processor safeguards the security of the personal data during processing. As with AML functions outsourced by a fund, the use of sub-contractors by the fund's service providers should also be monitored and, where such sub-contractor may process personal data, strictly controlled in the relevant service level agreement.
It may not be convenient for a fund to update its offering and subscription documentation as described above, especially where the fund is closed. A more practical alternative may be for the fund to notify investors of its updated privacy notice (and provide easy access to that document through a link to the fund's investor portal or website) via a separate investor communication, whether scheduled or not. However, the fund must be proactive in providing the requisite privacy information to individuals.
This Update is not an exhaustive checklist of the ways in which funds will be impacted by the DPA. Whilst funds and fund managers should initially focus on undertaking these key practical steps, further action may still be required to ensure familiarity and compliance with the DPA's requirements. In particular, although the DPA does not require the adoption of data protection policies or the appointment of a data protection officer, fund managers and directors need to understand the flow of personal data within their structures to enable them to identify the actions required at each level to meet those requirements.
Fund managers and directors also need to be aware of the rights of the underlying data subjects, what their obligations are in relation to data access requests (whether at data processor level or otherwise) and the consequences of non-compliance.
It should be noted that, whilst the Office of the Information Commissioner was established by the DPA, no Information Commissioner has been appointed as at the date of this Update. We anticipate that further guidance on the DPA will be issued by the Office of the Information Commissioner in due course.
How can Mourant help?
Mourant can assist in providing further guidance on any aspect of the DPA, in the review and updating of fund documentation and contractual arrangements and in drafting board papers and internal data protection policies and procedures. Please get in touch with your usual contact or one the contacts listed below with any questions.
1 Processing is defined very broadly under the DPA and will include collecting, recording, organising, storing and erasing personal data, as well as disclosure of personal data to other persons, such as service providers.
2 Commercial transactions means any transaction of a commercial nature, whether contractual or not, which includes any matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance.
3 Data processor means the person processing personal data on behalf of the data controller (but not including an employee of the data controller).
4 The European Union's General Data Protection Regulation (Regulation 2016/679).
5 For example, specific consent would likely be required where there is processing of sensitive personal data (which includes data relating to the political, religious, ethnic and sexual orientation of an individual), or where personal data is to be processed for new purposes not disclosed in an original privacy notice.