The General Data Protection Regulation is the latest piece of legislation affecting hedge fund managers to roll off the European Union’s production line. It comes into force on 25 May 2018, and represents a significant overhaul and expansion of the EU data protection regime. Most managers have already been getting to grips with the details, so this piece looks at some particular questions that have arisen for hedge fund managers.
The new world of data protection
GDPR was not written on a blank slate. It is closely based on the EU’s current legislation, the Data Protection Directive 1995 (implemented in the UK by the Data Protection Act 1998), and the most fundamental concepts – “processing”, “personal data”, “data controllers” and “data processors” – will be familiar to those who already know the current regime. GDPR also prescribes a largely unchanged set of conditions for the processing of personal data and a list of “data protection principles” that has only been slightly refreshed. Much of it feels very familiar.
The most noticeable changes under GDPR are an extension of territorial application (of which more below), more restrictive conditions for valid consent, more detailed disclosure requirements, and additional rights for individuals whose data is being processed.
These changes are obviously significant. But lurking behind them is a more fundamental change in the EU’s philosophy regarding the protection of personal data, reflecting a world that has changed beyond recognition since 1995 in the field of personal data. This new outlook manifests itself in the enhanced powers of regulators to investigate businesses by conducting data protection audits, the new requirement that a firm must, in addition to complying, also be able to demonstrate compliance, the requirement on many organisations to have a data protection policy, and the requirement to keep data processing records. The idea is, it would seem, to shift data protection regulation from a passive stance, where breaches can be referred by individuals to the data regulator for action, to a more active posture, under which the regulators will actively monitor compliance.
What isn’t yet clear, and won’t be for some time, is the extent to which this new regulatory environment will make a noticeable difference to the day-to-day operations of hedge fund managers. Unlike financial services regulations, data protection rules apply to the whole economy, and every business in the modern economy is a data controller to a greater or lesser degree. The Information Commissioner’s Office – the UK’s data regulator – cannot intend to actively monitor and regularly audit every business in the UK. The ICO is reported to be significantly increasing its headcount to upgrade its supervisory capacity, to around 600 staff, but that can be compared against the FCA employing around 3,500 staff to regulate the financial services sector alone (albeit for compliance with a far larger book of rules).
So it is generally assumed, very reasonably, that active scrutiny will be reserved for the big users of retail data – tech companies, supermarkets, banks and the like. The larger institutional asset managers, some of which hold financial information on millions of individual customers, may also be of significant interest to the ICO. But relative to these, hedge fund managers are small users of personal data, and, while there is no distinction in principle under GDPR between personal data held in relation to retail clients and that held in relation to professional clients, the professional nature of the relationships is likely to make the industry even less of a focus.
There is therefore no reason to expect that regulators will audit or investigate hedge fund managers in normal circumstances. Nor might one expect a hedge fund’s clients and services providers to be very active users of their direct data rights under GDPR.
So, despite the attention being given to GDPR, is it business as usual for hedge fund managers? In many respects, yes it is – certainly more so than it will be for many larger businesses. But while managers might not see much difference in their day-to-day experience of data protection regulation, a breach of data protection rules, in particular one that relates to a breach of data security, is now likely to have more severe consequences for a manager.
The UK’s current maximum fine for a breach of data protection rules is £500,000, and other EU jurisdictions have comparable penalties. Under GDPR, the maximum fine will be greatly increased, to the greater of €20 million and 4% of worldwide annual turnover (an idea borrowed from competition law). These numbers are imposing, but, as with the active investigatory powers, the power for regulators to impose such painful fines has been created with the large users of personal data in mind, where a breach might affect millions of individuals and where the business incentives to push the boundaries are clear.
Comments from the ICO suggest that it is unlikely that a business like a hedge fund manager would be fined for small-scale, inadvertent breaches. Nevertheless, a major security breach of investor data that attracts significant publicity, for example, might force a data regulator to take a tougher approach and to look very hard from top to bottom at the data controller’s compliance with data protection laws. Such breaches seem increasingly likely, for reasons both related and unrelated to GDPR.
Firstly, there are new requirements under GDPR to report a data breach to the regulator if it is likely to result in a risk to an individual’s rights, and to report it to the individuals themselves if that risk is high. Under the current regime, no such reporting is required, meaning that businesses have effectively been able to operate under a “no harm, no foul” principle – although this is subject to industry-specific rules, including the SYSC rules in the FCA handbook. The new reporting requirements may bring more breaches into the public domain than have been the case to date.
Secondly, the examples of the Panama Papers and the Paradise Papers have made clear not only that financial information relating to wealthy individuals will make global headlines, but that hackers will actively seek to obtain it. A data security breach at a fund administrator, which holds investment and tax information on large numbers of investors, could draw similar attention.
These considerations point to an important conclusion, although not a revelatory one – data security is more important than ever, and managers must ensure that their own IT systems and internal procedures are sound, and that any service providers with access to personal data, in particular the fund administrator, also have sound systems and procedures. Data protection issues are unlikely to arise unless a data security breach occurs, but if such a breach does occur, the consequences are unpredictable but potentially very severe. If an organisation has not complied with GDPR, the problems could be significantly exacerbated.
Strategies using personal data
Over the last few years, a number of systematic trading strategies have been developed that feed behavioural information on large numbers of individuals into their algorithms. To the extent that this information is personal data (or, for an organisation outside the EU, the personal data of EU individuals), then this activity will be subject to GDPR.
Whether the data is “personal data” rests on whether it relates to an individual who is “identified or identifiable”. If a manager only receives information about individuals that has already been aggregated, it is likely that no one could identify information about particular individuals and so GDPR would not apply. If a person’s name has simply been replaced by a code or similar (“pseudonymised”, to use the GDPR term), then the individual will still be considered to be identifiable and GDPR will apply. Aggregated data sets obtained from intermediaries are therefore less likely to be within the scope of GDPR than data obtained directly from web scraping, especially if the web scraping is concerned with the behaviour of individuals.
If GDPR applies to data used for an investment strategy, what should a manager do? The first requirement to consider is the obligation to notify individuals that their personal data is being processed, along with certain other information about the processing. This would potentially be very onerous, but the obligation does not apply if “the provision of such information proves impossible or would involve a disproportionate effort”. This may often be the case in practice, although the point should be properly considered.
The other requirements of GDPR – to only process data where permissible, to allow individuals certain rights over their data and so on – will apply regardless. If a data security breach occurs, the obligation to notify individuals of it does not apply if it would involve “disproportionate effort”, but in this case it would be replaced by a requirement to make a public announcement. Encrypting the data would also negate this obligation.
Extraterritoriality – offshore funds
The EU’s current data protection regime only applies to organisations with EU establishments and those that use equipment in the EU to process personal data. GDPR no longer takes the location of equipment into account (except where it might constitute an “establishment”), but it expands the territorial scope in a way that will catch large numbers of non-EU organisations.
Most importantly for fund managers, it will apply to organisations that process personal data in relation to the offering of goods or services – including fund interests and investment management services – to the relevant EU individuals, although only with respect to the personal data of the individuals to whom the interests are offered. The term “offering” is broad, and may include passive acceptance of investors without any active marketing, if it appears that steps have been taken to accommodate EU investors.
This means that most offshore funds managed by UK managers will be directly subject to GDPR in their own right, at least in respect of some personal data. Fund directors will therefore need to consider their obligations, both for implementation and for ongoing compliance.
The personal data that is processed by or on behalf of an offshore fund is, for the most part, the information on investors that is processed by the administrator. This includes AML information and tax information, and for politically exposed persons it might include sensitive information on political beliefs, to which special rules apply. Funds will need to disclose to investors the information required by GDPR, most likely by way of disclosures in their application forms or offering documents, and the administration agreement (and any other agreement with a data processor) will need to be amended to incorporate the terms required by GDPR. Funds may also need a data protection policy, and certain other rules (e.g. record-keeping) must be considered.
Contrary to some assumptions, funds should not usually need to obtain the consent of investors to the processing of their data. Data can be processed using any one of a number of justifications, and an alternative justification to consent is where the processing is “necessary for the purposes of the legitimate interests pursued by the controller [i.e. the fund in this case] or by a third party”. This justification is not unlimited, but it will be broad enough to cover any processing that is within the normal and expected operations of a fund and a fund administrator.
More fundamentally, there is a question of whether an EU manager will constitute an “establishment” of an offshore fund in any event. If it is, this will in most cases bring all of the fund’s data processing within the scope of GDPR regardless of any offering. The existing caselaw gives “establishment” a fairly broad meaning, although offshore funds have not generally considered themselves directly subject to the existing EU regime. In any case, if a fund is offering its shares to EU individuals and also applying the same data protection framework to all data, then the question becomes less significant.
Extraterritoriality – non-EU managers
The same rules on “offering” fund interests that will bring many offshore funds within the scope of GDPR will also catch many managers in the United States, Asia and elsewhere, who commonly offer interests in their funds to EU individuals. The funds in question will also be within scope, of course.
Such managers will not relish the prospect of compliance with GDPR, and if they currently raise little money from the EU they may instead seek to avoid GDPR entirely by ensuring that they are not “offering” shares to EU individuals.
Alternatively, because it is only the processing of data in connection with offers to individuals that is subject to GDPR, it seems to be the case that non-EU managers and funds will be able to market to EU institutions without being subject to GDPR, so long as there is no offering to individuals. To the extent this is feasible, it will require careful planning.
Extraterritoriality – monitoring behaviour
Non-EU businesses will be subject to GDPR with respect to any processing of personal data that relates to the monitoring of the behaviour of individuals in the EU. This is the rule that will catch non-EU managers using personal data within their investment strategies, as discussed above, but the more common implication for non-EU managers is that they will need to consider whether their websites will cause them to be doing this.
Cookies that track individuals who use websites, which are now common, are likely to be “monitoring” those individuals. Managers wishing to avoid GDPR in this area should ensure either that their websites do not do this, or that the activity is switched off for EU individuals.
The FCA’s view
The FCA, while noting that the ICO will regulate data protection and enforce GDPR in the UK, has stated that compliance with data protection is something that they will consider in the context of a firm’s SYSC and senior management obligations. Whether this implies any specific focus on data protection by the FCA will become more clear over time, but firms should be ready to justify and explain their data protection policies and decisions to the FCA as well as to the ICO.
GDPR is a broad topic, and this article has only addressed a selected few issues within it. While the text of the regulation is known and many issues are well-understood, market interpretations and practices in a number of areas are likely to develop further between now and 25 May, in particular with respect to the application of the rules to specific sectors such as the hedge fund industry. Managers should already be in the process of implementing GDPR for themselves and for their funds, and they should remain in contact with their advisers throughout the process and be conscious of further developments.