* The information in this article is provided for informational purposes only. No information should be construed as legal advice from Advanced Alternative Investment Systems or the Titan Technology Group, Ltd. or the individual author nor is it intended to be a substitute for legal counsel.
General Data Protection Regulation (“GDPR”)
Components of the regulation include:
- Breach notification
- Right to access
- Right to be forgotten
- Data portability
- Privacy by design
- Data Protection Officer (“DPO”)
How GDPR Applies to Investment Managers
In this example, the Investment Manager has shareholders that are EU residents. The Administrator or Back Office of the Investment Manager will have contracted with SoftwareCo to use its platform. The Administrator will have obtained information on shareholders, investment managers, and interested parties that receive statements (“Contacts”) into the SoftwareCo System (the “Platform”). The majority of GDPR responsibility regarding Contacts lies with the Administrator, but specific responsibilities lie with SoftwareCo, and other duties are shared by the Administrator and SoftwareCo.
Administrators should appoint a DPO who will, within four hours, notify their Contacts of any data breach. Administrators should also ensure that SoftwareCo has appointed a DPO and that such person will notify the Administrator of any breach that they become aware of via their overall access to the Platform.
Right to access
Contacts have access to their data through the Administrator and are subject to the
Administrator's policies and procedures.
Right to be forgotten
Administrators control the data collected on the Contacts. If any Contact chooses to be “forgotten,” then the Administrator must update the Platform so that the Contact’s data is no longer in existence or will cease to exist after an appropriate period. Investment Managers need to ensure that SoftwareCo has built this functionality into the Platform.
A Contact’s data stored on the Platform can be shared at the approval of the Contact and subject to the policies of the Administrator. Investment Managers need to ensure that SoftwareCo has built the ability to share data into the Platform.
Privacy by design
Administrators should ensure
As stated above, the Administrator should ensure that it and SoftwareCo each has a dedicated DPO.
In addition to satisfying these six components of GDPR, Administrators should also:
- Ensure that contracts are in place that accurately reflect the current arrangements concerning data protection. For example, consider whether the contract between SoftwareCo and the Administrator includes standard operating procedures to handle requests from a GDPR data subject in a timely and efficient manner.
- Review SoftwareCo’s breach policies and procedures to determine how and when parties will be notified if a breach occurs at SoftwareCo.
- Ensure that SoftwareCo will not engage third-parties for processing protected information without written authorization from the Administrator.
- Ensure SoftwareCo is adhering to data retention policies and that information is appropriately disposed of when requested or upon expiry.
- Review Data Privacy Notices currently in circulation for the Investment Manager’s accounts and determine if such notices need to be updated or if investor consent is required.
- Document procedures and set out compliance reporting, including to the boards of any funds.
The Titan Platform enables users to comply with GDPR by providing functionality such as the ability to “forget” an individual’s personal information at a certain point in time and the ability to transfer an individual’s complete transaction and historical information upon the individual’s request. Titan is a cloud-based, truly integrated, portfolio accounting, general ledger, RTA, income allocation, compliance, AML and portal system. Please email firstname.lastname@example.org for more information.