Today on the blog, RFA UK Managing Director George Ralph discusses the implications of the collapse of Safe Harbor for hedge funds.
What are the implications of the collapse of Safe Harbor for the alternative investment sector?
The US approaches data protection in a very different way to Europe, but with so many organizations doing business across the globe, it became apparent that there was something needed to bridge the gap, and ensure that European personal data was handled in as stringent a manner, when it reached the US. The Safe Harbor agreement was passed into law in 2000 to allow US companies doing business in the EU to transfer data from EU-based consumers to US servers in a way that complied with EU data protection laws. The objective was to make international business transactions more seamless, but in the light of Snowden’s revelations and the Schrems case more recently, on 6th October, the regulation was deemed inadequate in the protection it provided to personal data.
With no signs of a Safe Harbor 2 imminent, firms that are trading in both continents have an immediate need to act.
As a hedge fund or private equity manager, what should you be doing?
Firstly, understand what data constitutes personal data and is therefore bound by the EU Data Protection Directive. If your firm is a US firm with staff based in Europe, personnel files are likely to be considered personal data. Information about investors is often comprehensive, by mandate, and this too is likely to be considered personal data. Transaction data is likely to contain personal data, as is fund information and should be looked at carefully. Research data may not contain personal data, but information on mergers and acquisitions could contain employee data, in which case it would be considered personal data.
The data outlined above should not be viewed, transferred, stored or exported in the US, if it has not been expressly approved by the individual it relates to.
Next, I would recommend evaluating your data estate and getting a clear picture of where data is, where it was generated and mapping it to where it should be. Tagging data is a useful exercise, to ensure the right data is in the right place. If you store data in the cloud, and who doesn’t these days, include your cloud providers in this mapping exercise. The cloud is historically quite opaque, so this could be a lengthy exercise, although vital.
As I mentioned above, the EU Data Protection Directive states that privacy rules do not apply to data if the individual that the data relates to, gives permission for the data to be stored, transferred and processed outside of the EU. It would need to have been written into a contract and signed, to comply, so check all affected contracts to see if this clause already exists. If so, Safe Harbor was never needed in the first place. However, if, like many firms, this has not been written into contracts, then it is worth running an exercise where individuals are contacted with a clear opt in message that they can agree to, which must be collected and stored for regulatory purposes.
There will of course, be individuals where opting in is not possible, and in these cases, you must move your data to a local data centre. For many firms, building a private data center is not an option, so a locally situated, cloud-based, multi-tenanted data center would be an ideal option.
Before agreeing to move any data, run a thorough evaluation of the cloud partner’s set up, policies and procedures to ensure they are EU DPD compliant, then work together to develop a migration plan which causes the least disruption to services as possible.
Moving forwards, and once your data is where it should be, it is a good idea to encrypt data to protect it under any circumstances. Take control of your data, bringing in additional skills to your IT team if necessary, but ensure that you have a clear sight of your critical, personal data, so that you can confidently claim compliance with data protection legislation, whatever the legislative bodies’ next moves may be.