Data is fundamental to successful asset management throughout the entire investment lifecycle across a variety of functions. This data may be stored on multiple systems either in-house or with third-party service providers such as Virtus Partners. Significant changes in the way much of this data is being stored, and increasing regulation impacting data protection, mean that this is an opportune time to ask the right questions about how your portfolio and investor data is being collected and processed.
Use of cloud computing in the industry is growing fast and brings a different set of considerations and risks when conducting due diligence on third-party service providers. The new General Data Protection Regulation, the objective of which is to give European Union citizens tighter controls on their personal data, comes into force in May 2018. It will have a significant impact on asset managers in terms of both the level of security that will be needed and the potential liability associated with any data breaches. Both are good reasons to conduct a health check on how private debt managers and their service providers deal with personal data.
Cloud computing uses a network of remote servers hosted on the internet to store, manage and process data. It pro- vides significant benefits in terms of speed, cost, scale and reliability through a range of service models. There are some key considerations to consider when reviewing your third-party administrator’s cloud computing arrangements.
Firstly, it is important to ensure that both your administrator and its cloud provider have an appropriate cybersecurity policy in place. Strong cybersecurity procedures will have both preventative and detective internal controls. Business continuity procedures should also be a key focus in any due diligence review of cloud computing arrangements.
Secondly, private debt and other asset managers need to be confident that any service outage will not negatively impact their ability to function. It is important that there is a backup provider or site available in the event there is an issue with the cloud provider. This should become a focus area for service provider due diligence regardless of whether fund investor data is held locally on or in the cloud, it is still each party’s responsibility to ensure the rights of the data subject are protected. Finally, a transfer agent to a fund will use the information provided by an investor to update the shareholder register of the fund. Some of this processing may be done by the transfer agent in the EU, and some of the processing may be outsourced to another entity within the same group of companies, or a third party, which may or may not be based in the EU. A transfer agent should clearly set out what data it processes, where and how it is processed, and by which entity, when assessing its own obligations under GDPR.
In most cases, fund managers will be regarded as “controllers” – those who control the use of personal data – for the purposes of the regulation, and third-party fund administrators would be regarded as “processors” – those who process data on behalf of a data controller. GDPR applies to both controllers and processors established in the EU and those outside the EU who offer goods or services to EU data subjects. Data transfers to countries outside the EEA continue to be prohibited unless that country ensures an adequate level of protection. The GDPR retains existing transfer mechanisms, and provides for additional mechanisms, including approved codes of conduct and certification schemes. The regulation also prohibits any non-EU court, tribunal or regulator from ordering the disclosure of personal data from EU companies unless it requests such disclosure under an inter- national agreement, such as a mutual legal assistance treaty.
Below are 10 practical steps that pri- vate debt managers, their fund boards and all fund service providers involved can take to prepare for compliance with new regulation.
1. ASSESS RESPONSIBILITIES
Establish which parties are responsible for processing investors’ data and for what purpose. A central premise of the new regulation is accountability and for each party to be able to demonstrate how they comply with the regulations.
Document the contractual arrangements between those parties and review the data protection provisions in those contracts to determine if they reflect the current arrangements.
3. DATA PROTECTION OFFICER
Determine which of the parties need to appoint a data protection officer and dis- cuss with those parties who that is, or will be, and what their responsibilities will be in the context of the fund.
4. DATA INVENTORY
Capture the flow of investor personal data between the parties to the fund, capture the legal basis for the process- ing and determine if investor consent is required.
5. DATA SUBJECT RIGHTS
Review the data privacy notice currently in circulation for the fund and determine if it will need to be updated and if investor consent is required. Establish a commu- nication strategy for existing investors. Develop a plan for the management of investor data privacy rights throughout their relationship with the fund and ensure that all parties to the fund have structures in place to protect those rights.
6. COMPLIANCE MONITORING
Develop a compliance monitoring pro- gramme and set out the reporting that will be required by the board of the fund.
7. BREACH NOTIFICATION
Ensure all parties have the structures in place to identify and report a breach. It is important to note that GDPR provides supervisory authorities with wide-rang- ing powers to enforce compliance, includ- ing the power to impose significant fines of up to €20 million or 4 percent of your global annual turnover of the preceding financial year, which provides a large stick authorities can wave.
8. CHANGE MANAGEMENT
Discuss changes in management with each party to the fund to ensure that the process incorporates ‘privacy by design/ default’.
9. RISK MANAGEMENT
Review the privacy impact assessment methodologies proposed by the parties to the fund in the context of each of their roles and the risks that are relevant to their business and operating models.
Each party should develop a training and awareness programme that reflects the role that they play in processing investor data and their obligations under the GDPR.
In summary, the next couple of years will see much change in how data is obtained, managed and stored. All stakeholders need to be aware of this new landscape with respect to their own operational risk given the high stakes involved. Thinking about the future now and planning will mean these downside risks are mitigated and data is treated, in its truest sense, as a commodity.