Recently the Managing Director of RFA UK, George Ralph, hosted a webinar for alternative investment and private equity firms, on the dreaded topic of GDPR. RFA partnered with Cummings Law and Portman Compliance Consulting, both experts in the alternative investment sector and very knowledgeable about the impending regulation from their legal and compliance perspectives. George covered the technology aspect, and they covered the who, the why and the what, in terms of how far firms need to go in order to comply.
While there have been some reports of GDPR being hyped up in the media, the topic is obviously hot for the alternative investment sector, as registration closed at 120 before the event became oversubscribed.
The panel introduced the session and told listeners who the GDPR affects, which is virtually everyone. There are some very narrow derogations and exceptions, but in this sector, a lot of data falls under the high-risk category, so it is absolutely crucial for all firms to be putting measures in place now.
One of the main issues seems to be around consent. The data subject needs to give consent for their data to be taken, held and used for relevant and necessary purposes. It’s no longer sufficient to assume consent has been given, it must be explicitly given and recorded. A question was raised about data gathered either by business card, or by a LinkedIn account, which was interesting as both have a different answer. For data held on a business card, it isn’t enough to assume consent has been given simply because you are the holder of a business card. That card could have been found, taken, received in error. The owner could have intended the card to be used for a one time only purpose, not to be stored in a CRM system and used in the future. Advice from the panellists on this point was to include the details in a CRM system but to run regular and periodic opt-in campaigns to all the data held within that system. There are numerous tried and tested tools available to bolt onto CRM systems to do this, and some may suit different firms better than others. Definitely worth a discussion if you haven’t looked into it already.
In regards to data held in a LinkedIn or other social media account, it is slightly different. As the subject has already put these details into the public domain, the data is not covered by the GDPR and does not need the same level of scrutiny. However, when running a CRM cleansing exercise, all the data within a system will be subject to the same opt-in activity regardless.
The panel covered the differences between a Data Controller and a Data Processor, and the change from current UK Data Protection laws, which put responsibility for the data in the hands of the Data Controller, but mean the Data Processor is not liable for data protection. This has changed and now both Data Controller and Data Processor are liable, and must have a written agreement in place which gives the Data Processor the authorisation and liability for protecting the data. The Data Controller is still equally liable for the protection of that data, however.
The panellists talked about DPIAs or Data Privacy Impact Assessments, what they are and when they should be carried out. Essentially, they are a way of identifying and assessing the specific risks to data and should carried out by everyone initially and then again if, and when there are changes to processes, systems or key personnel within the firm. If firms add a new line of business, or change a provider, then a DPIA should be done. In such a heavily regulated sector, it’s another thing to add to the existing compliance process, and shouldn’t be too onerous. In fact, some commentators are citing that DPIAs can only be seen as a positive thing and will increase confidence in a firm, and allow firms to identify and mitigate risks early on, saving both time and budget.
George briefly touched on cybersecurity and the concept of privacy by design, which is a ground up approach to data protection. If a breach does happen, and they do, firms should endeavor to report this within 72 hours to the supervisory authority. Not all breaches will result in a fine however, as firms that can demonstrate that they had adequate mitigation measures in place, can be deemed to have met the standard required by GDPR. Data encryption counts as such a measure.
Portman Compliance talked about the internal and external documents that firms need to update by May 2018, which included prospectuses, vendor contracts, systems of control procedures, IT procedures and HR policies and procedures.
The webinar ended on a scary note; the fines that can be levied, which can be as high as 4% of total global annual turnover and up to 20m Euros, which is sobering stuff.
For those who are interested in hearing the webinar recording, you can find this here.
Let us know if you have any questions!