What is GDPR?
- The General Data Protection Regulation (“GDPR”) governs the collection, storage and processing of data. It is designed to strengthen and unify data protection for all individuals in the European Union.
- The regulation comes into force on 25th May 2018 and firms must be compliant by this date.
- GDPR introduces a new principle of accountability which means firms in scope of the regulation must have appropriate governance measures in place to demonstrate compliance.
Will GDPR effect Cayman domiciled funds?
It may, depending on the activities the fund carries out. The GDPR not only applies to firms domiciled in the EU but also to firms established outside of the EU where processing involves offering goods or services to ‘data subjects’ in the EU. This means if a fund has European investors or is actively marketing to European investors, it may be in scope of the GDPR. Where a Cayman fund is in scope of the GDPR, it may be required to appoint a ‘representative’ in the EU to assist the fund in meeting its GDPR obligations. The EU representative will be the point of contact for any queries data subjects or data protection supervisory authorities have in relation to the fund’s activities.
What does it mean for funds in scope of the GDPR?
Investment funds captured by the regulations, will be considered data controllers of investor data. Service providers will be considered data processors (in certain circumstances they may also be considered data controllers).
The main responsibilities of data controllers are to:
- communicate with data subjects regarding the processing of their personal data;
- maintain a record of all processing activities;
- ensure there is a legal basis for processing of personal data;
- be responsible for choosing processors that provide sufficient guarantees to implement appropriate technical and organisational measures and procedures to ensure GDPR requirements are met;
- ensure contracts with data processors contain appropriate GDPR language;
- ensure data is not stored for longer than the period necessary for use; and
- determine if an EU representative must be appointed.
The responsibilities of data processors include:
- only processing data specified under the terms of agreement with the controller;
- maintaining a record of processing activities;
- obtaining express consent of data controller prior to appointing sub-processors;
- co-operating with supervisory authorities;
- carrying out Data Protection Impact Assessments (“DPIA”) where processing may result in a high risk to an individual’s rights;
- the potential requirement to appoint a Data Protection Officer (“DPO”); and
- notifying data controllers of data breaches.
What are the consequences for firms that fail to comply?
Firms which breach the GDPR are liable to a maximum fine of the greater of €20m (over US$24m) or up to 4% of their annual global turnover. The GDPR’s administrative fines are designed to reflect the severity of the breach and in each case be effective, proportionate and dissuasive.
How can Carne help?
Carne can assist Cayman funds in meeting their GDPR obligations by carrying out the following activities:
- drafting and maintenance of a Data Protection Policy for the fund;
- completing a data inventory to identify personal data processed by the fund and the lawful basis for processing;
- due diligence of data processors, e.g. the fund administrator;
- handling data breaches including reporting to the relevant supervisory authority;
- maintenance of a data breach register;
- training – informing and advising the board of their respective obligations under the GDPR;
- act as the fund’s EU representative where necessary.