GDPR FOR PRIVATE EQUITY AND REAL ESTATE Date: Friday, 3rd November 2017 Start time: 12:30GMT Panellists: Pat McIntyre GDPR Project Manager David Rowland Group Head of AML and Compliance Manager, Augentius Guernsey Duncan Smith Managing Director, Augentius Luxembourg Moderator: David Bailey Group Head of Marketing and Communications
The General Data Protection Regulation (GDPR) An EU regulation which affects anyone in the world who handles the personal information of any individual citizen in the EU. This includes: Funds Fund Managers Portfolio Companies Different obligations will apply, depending on whether you are a data controller or processor the obligations of a controller being more onerous. A Data Controller A Data Processor where an organisation collects data (or has a third party collecting data on its behalf) AND they decide what to do with the data an organisation which processes data on behalf of another party 2
Who might you outsource data to? One of the first steps Fund Managers should take is a review of whom they outsource data to. Some examples are as follows: Fund administrators Payroll Agents Cloud providers Systems hardware hosts Pension providers Healthcare BUPA etc. Fund Managers should liaise with these parties to ascertain how their plans to comply with the GDPR are progressing and whether they transfer personal data outside the EU. Where personal data is transferred outside the EU you must ensure that an adequate level of protection is afforded one way of achieving this is the use of Model Clauses. 3
Guernsey and Luxembourg Will the GDPR apply in Guernsey? Yes. Local government have announced that the GDPR will be incorporated into local law, with the aim to be ready for implementation in May 2018. Guernsey s committee for Home Affairs has published the new Data Protection Law. This is important for Guernsey as it will ensure that Guernsey maintains its adequacy in the future on an international level. How does this affect Luxembourg domiciled funds? Many AIFMs and other Investment Fund entities employ Fund Administrators as Central Administrator. Central Administration is a key requirement for Luxembourg Funds and the provision of Fund Administration services by regulated, PSF or Credit Institutions. In many cases the Fund, GP, Holding Companies delegate the Central Administration to the Fund Administrator and in these cases the Fund Administrator is deemed to be the Data Controller in Luxembourg. There may of course be scenarios where the Asset Manager may also be regarded as a Data Controller in their home jurisdiction, depending of course on the flow of data between investor and the Fund. 4
What are the main new requirements? Many existing requirements under the Data Protection Act are incorporated into the GDPR However there are a number of major new requirements: Increased scope more entities will be subject to the GDPR Increased data subject rights include greater transparency, right to be forgotten, data portability and obtaining specific consent (in certain scenarios) New requirements before personal data can be transferred outside the EU Breach management and notification Privacy by design considering the DP implication for new products and services A sizeable increase in the penalties that can be levied for data breaches The need to appoint a Data Protection Officer, in certain circumstances The ability to appoint a lead supervisory authority should reduce bureaucracy where a controller operates in multiple Member States 5
Next steps? Fund managers should undertake a comprehensive review to: benchmark their data protection policy and procedures against the requirements of the Regulation; check that their HR Policies and procedures reflect the requirements of the Employment Practices Code; Identify the gaps and what is required to address them; Identify all instances where personal data is transferred outside your business to be processed; consult with your suppliers to establish what steps they propose to take to meet their obligations and if this will help the manager meet their obligations e.g. IT system changes to assist with erasure and right to be forgotten requirements; identify instances where personal data is transferred outside the EU and ensure that adequate safeguards are in place; agree an appropriate action plan, including timeframes; and implement the plan to ensure compliance. 6
Augentius Group: the facts Over 640 staff globally Investors from 111 countries 70% of staff either qualified or part-qualified 200+ clients 12 Augentius Group raised over US$40,000 for local charities over the last 12 months domiciles serviced serviced globally 520+ $130BN assets under administration 17,000+ payments processed each year Funds serviced 14,000+ Investors serviced globally 7
Let s keep in touch Pat McIntyre Pat.McIntyre@augentiusdepositary.com David Rowland David.Rowland@augentius.com Duncan Smith duncan.smith@augentius.com 8