We use cookies to make this site as useful as possible. Read our cookie policy or allow cookies.

GDPR for Irish Funds - 8 month countdown

The EU General Data Protection Regulation (GDPR) will take effect on 25 May 2018 and has been described as the most ground-breaking piece of European Union legislation in the digital era. It aims to modernise the legal framework of data protection and privacy in Europe to ensure the consistent protection of personal data by making businesses more accountable for compliance. The implementation of the GDPR brings about a number of sweeping changes and investment funds, their administrators and other relevant delegates should prepare now for what will be the biggest change to data protection laws in over 20 years. Set out below is a summary of key GDPR-related matters set to impact the funds industry.

Direct Liability & Increased Penalties – Immediate effect

Liability and penalties for breaches of the GDPR will be as high as €20m or 4% of a group’s annual global turnover (whichever is greater) and individuals (e.g. investors) will have a right to sue for material and non-material damage arising from data protection breaches.  

Accountability

The newly-introduced accountability principle will constitute a key aspect of GDPR for the funds industry. Accountability requires a board of directors to take a proactive and evidenced-based approach to compliance with data protection rules. As of 25 May 2018, every board must be in a position to demonstrate that appropriate governance measures have been implemented to meet the standards required under GDPR.

Subscription form & prospectus disclosures

Data protection disclosures in subscription forms and/or prospectus documents will require updating in line with GDPR, which prescribes various information to be provided to investors at the time of data collection. 

Contracts with & oversight of administrators

New liability principles and a requirement for more detailed terms to be incorporated in contracts with processors will necessitate updates to existing agreements between funds and various of their service providers, including, most notably, administrators. There will also be a requirement for administrators to flow down these terms where they engage sub-delegates that will process personal data on their behalf. With most administrators in the market continuing to operate an outsourced business model for administration services such as transfer agency, boards of directors will need to examine the processes in place to ensure appropriate oversight of all delegated services which involve the handling of investor data. 

Grounds for processing data

The legal basis upon which data is being processed must be identified to investors at the time of data collection and, if relying on consent as a legal basis, funds should note the increased consent threshold set by GDPR, requiring consent to be documented, specific freely-given, informed and unambiguous. It must also be easy for individuals to withdraw consent as it is for them to give it. This challenging threshold may result in funds moving away from consent as the primary legal basis upon which investor data is processed. 

Enhanced rights for investors 

New rights include the right to be forgotten, right to restriction of processing and right to data portability. These should be reflected din relevant service provider agreements, such as administration agreements as funds will require the co-operation of service providers to comply with these requests in certain circumstances. Information on how to avail of the new rights must also be provided to investors. 

DPIAs (Data Privacy Impact Assessments)

DPIAs will be mandatory for high risk data processing such as profiling and large scale processing of special categories of data. For funds, this may be of particular relevance if introducing any new technology or undertaking any new project involving the collection of investor data.

Security breach reporting

The GDPR introduces a requirement to report to the Data Protection Commissioner within 72 hours where a risk arises to the rights and freedoms of individuals (such as investors). Funds must notify investors about any breaches to their personal data without undue delay where a personal data breach is likely to result in a high risk to their rights and freedoms. This will be in addition to applicable Central Bank of Ireland reporting requirements.

Records management

GDPR introduces an obligation to maintain detailed records of processing activities for both controllers (i.e. funds) and processors (i.e. administrators). This will replace the obligation to register with the Data Protection Commissioner.

One-stop shop

Organisations may be regulated by one supervisory authority if their main establishment is in the EU (meaning that they should only have to deal with one data protection and privacy regulator). This may, in light of Ireland’s well-regarded ’firm but fair’ data protection regime, prove beneficial for Irish funds, e.g. in the case of claims under GDPR being taken by investors in other jurisdictions.

Territorial scope

GDPR expands the territorial scope of data protection law such that certain non-EU funds may fall within its scope (e.g. where they process the personal data of EU citizens such as investors based in the EU).

Next steps

Given the extensive impact of GDPR on the funds industry it is critical for all relevant stakeholders to commence preparation for 25 May 2018 at the earliest opportunity.

ICSA’s Excellence in Governance Awards is judged by two independent judging panels. Judging takes place in July and August, with the shortlist announcement in early September.

 

Transparency in governance categories

Transparency in governance categories are judged by Hermes and ISS. Hermes helps institutional shareowners around the world to meet their fiduciary responsibilities and become active owners of public and private companies. Their team of engagement and voting specialists monitor its clients' investments in companies and intervene where necessary with the aim of improving performance.

 

Our judging criteria for these categories stipulate good and poor practice within each category area.

 

Ø  Download the transparency in governance category judging criteria. [LINK]

 

Company secretary award categories

Company secretary award categories are judged by a select panel of five judges, all highly experienced in company secretarial and governance fields, spanning private and not-for profit sectors.

To allow our judges to assess nominations fairly and objectively, all nominations are judged on the same criteria. Nominators will be asked to submit biographical information of the nominee and a general statement in support of the nomination, plus specific examples or evidence of achievement across the following six areas:

1.       Company law, regulation and compliance. Demonstration of the meeting of their organisation’s legal obligations and keeping on top of legislative development and change; examples of excellence in the design and maintenance of efficient and effective control systems for ensuring compliance.

2.       Corporate governance and shareholder relations. Demonstration of measures implemented to improve the effectiveness of corporate governance and shareholder communication within their organisation.

3.       Corporate restructuring. Demonstration of having undertaken acquisitions, disposals and any other significant restructurings or transactions.

4.       Information management and communication. Examples of excellence in the management, retrieval and dissemination of information, including the harnessing of information technology to aid performance; evidence of timely and effective communication with both internal and external stakeholders.

5.       Leadership and management. Evidence of circumstances where an individual has shown exemplary leadership and management.

6.       Innovation. Examples of achievements using new thinking to solve issues and problems.

We ask nominators to include evidence of achievement in at least three of these six areas.