New data protection rules mean changes for asset managers, but it is administrators that are likely to pay for them. Nicholas Pratt reports.
Given the amount of change in the use and delivery of data in the past 13 years – from the further evolution of the internet to the spread of social media and the scourge of cyber attacks – new regulation is well overdue.
On May 25 next year, though, the General Data Protection Regulation (GDPR) will be introduced in the European Union, replacing the 1995 data protection directive.
Data developments have been felt keenly in the investment funds world. For specialist fund managers investing in private equity, hedge funds or real estate, the demand for data from both investors and regulators continues to rise.
“The influence of a growing number of institutional investors, combined with more attention from regulators on fund fees, charges and the like, have put more pressure on private equity fund managers to provide and produce more data than ever before,” says David Bailey, head of marketing and communications at fund administrator Augentius.
Pressure has resulted in more managers choosing to outsource data management and reporting to their administrators, and this is an issue affected by the GDPR. The regulation makes the distinction between ‘data controllers’ (those that own the data) and ‘data processors’ (those that don’t). Their role as data controllers will be of most importance to asset managers.
Firms will also have to be aware of their role and responsibilities when outsourcing the processing of data, says Charles Gillanders, chief technology officer at Ireland-based administrator Quintillion. “They will have to be more vigilant about how their service providers are using and processing data, so as an administrator we expect to be subject to more oversight and due diligence.”
For example, one of the issues will be determining where the liability of responsibility lies in an outsourcing relationship between fund managers and their administrators. When third-party administration firms collect data on behalf of the fund manager, the administrator may become the data controller on the manager’s behalf, so the GDPR will also affect the administrator, which Bailey says will involve clearly defining and documenting procedures.
There will be some additional issues for managers to think about, he adds.
“Are you a data controller or a data processor and how do you process that data? What systems do you use and how is that data protected, what controls are in place? Do they use cloud-based systems?”
Data that managers hold on their staff – from HR files to employment contracts and bank records – is also covered by the directive.
Gillanders at Quintillion says the focus will be on the legal agreements with managers and their shareholders and investors. “The GDPR does change things in terms of language and consent, so it will be a body of work to tidy up those agreements and to make sure they are fit for purpose. This means ensuring the language around consent is clear and distinguishable rather than a sub-clause or hidden elsewhere in the contract.”
Fines focus minds
Some people have been surprised by just how much attention the new GDPR has gained, given that the rules are not entirely new and there is still a year to go before they come into force. But, says Dermot Mockler, group head of regulatory affairs, compliance and anti-money laundering at Custom House, the size of the fines for a data breach (4% of turnover, or €20 million) has helped to focus managers’ minds.
Another driver is cyber security, which is perennially linked to data protection. Mockler says: “Any fund managers outsourcing data management to administrators will have to ensure that those administrators are doing what they should be doing and have sufficient controls as part of a data protection impact analysis.
“They will also have to manage any transfer of data and ensure that they can track the progress of that data at all times along with the requisite controls, as part of a detailed data flow analysis. These are all things that they should have been doing anyway but will now be subject to much more focus.”
Firms will also have to ensure that their systems and reporting tools are fit for purpose. The recent WannaCry ransomware attack exposed the danger of relying on old technology and this is something that the private equity industry is guilty of, says Bailey. For example, managers will often send investors their performance reports or drawdown notices as a PDF via email.
A much safer approach would be to use online portals where investors are sent a notification to log on to a secure site where they can safely access the necessary documents, says Bailey. “If clients continue to use the old technology, they are exposing themselves to the risks of cyber crime.”
Many administrators are doing similar things in terms of their relationship with managers by providing an interface to automate the provision of data. For example, Custom House has developed a password-protected platform to provide shareholders and managers with all the data they need to satisfy their own reporting or investment needs, says Mockler.
Aware of their rights
Another consideration for managers and administrators alike is the appointment of a data protection officer, if they haven’t already done so. There also needs to be a broad review of systems. Furthermore, given the new rules that stress transparency, Mockler says administrators will need to ensure that shareholders are aware of their rights as data subjects.
They will also have to consider the data protection implications when data is transferred across borders, especially if it goes outside of the EU, and the need to provide constant visibility of data and the consent of the data subjects.
All of this amounts to additional cost, but who will bear it? Mockler believes it will be difficult for administrators to pass on to managers any of the costs they face from the GDPR. “I don’t think it will be a cost to the fund, but it will be a risk. It remains to be seen, though, who will bear the liability – but I suspect it will be the administrator when they are holding data on behalf of the manager.”
He adds, however, that given the amount of time and attention spent on the new data protection regime and its implications for the industry, there can be no excuse for non-compliance or a lack of preparedness.
©2017 funds europe