What U.S.- Based Investment Advisers Should Know
The European Union’s (“EU”) General Data Protection Regulation (the “GDPR”) became effective on May 25, 2018, and provides individuals in the EU with greater control over the collection, use, storage, transfer, deletion and other types of processing of their personal data.
While investment advisers typically already comply with data protection requirements governing financial services in the U.S. and elsewhere, the recent implementation of the GDPR requires a careful review of the firm’s operations, as well as possible changes and enhancements to remain compliant.
Below is a summary of GDPR provisions that are relevant to U.S.-based investment advisers, regardless of whether they have a physical presence in the EU.
A. What is the GDPR’s Territorial Scope?
The GDPR’s territorial scope is very broad. It applies to (i) investment advisers that are established in the EU, including U.S.-based investment advisers that have a physical presence in the EU and (ii) investment advisers outside of the EU if they are providing investment advisory services to a fund in which an individual in the EU is invested or has entered into an investment advisory relationship directly with an individual in the EU.
Accordingly, the GDPR applies to U.S.-based investment advisers that have (i) EU individuals as clients, (ii) EU individuals as investors in the funds they manage, or (iii) employees in the EU. This is the case even if such investment advisers have no physical presence in the EU.
The GDPR is also in effect in the United Kingdom, despite “Brexit.”
B. How is “Personal Data” Defined Under the GDPR?
The GDPR protects the rights of “data subjects,” which are individuals (not entities) in the EU, with respect to their “personal data.” For investment advisers, “data subjects” are most likely to be investors in the funds the investment adviser manages, individual investment advisory clients, and employees in the EU.
The GDPR defines “personal data” as “any information relating to an identified or identifiable natural person.” The GDPR provides that an “identifiable natural person” is one who can be identified by data such as:
- Identification number;
- Location data;
- An online identifier; or
- Other factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a person.
“Personal data” includes data regarding individuals in the EU that is collected by investment advisers from their clients and from investors in their funds, in “know your customer” documents, and in subscription documents (including the investor’s name, national identification number, address, employment information, date of birth and financial and investment qualifications).
C. How Can Investment Advisers Obtain Legal Authority to Process Personal Data?
Investment advisers are permitted to process the personal data of individuals in the EU (including an investment adviser’s employees in the EU) only if they have legal authority to do so. The GDPR provides that processing is lawful only in certain circumstances, such as:
- The individual has given affirmative “opt-in” consent to the processing of his or her personal data for one or more specific purposes after sufficient information is provided to the individual (note that consent can be withdrawn at any time);
- The disclosure the investment adviser provides should be in clear and plain language, and ideally, include the topics described in Item #4 of Section H. below.
- Processing is necessary for the performance of a contract to which the individual is party, or to enable the investment adviser to take steps at the request of the individual prior to entering into a contract;
- Processing is necessary for compliance with a legal obligation to which the investment adviser is subject; or
- Processing is necessary for the purposes of the legitimate interests pursued by the investment adviser or by a third party, unless these legitimate interests “are overridden by the interests or fundamental rights and freedoms” of the individual.
When an individual in the EU becomes a new client of an investment adviser, the most prudent course of action for the investment adviser typically will be to obtain (and document) the affirmative consent of the client to the processing of his or her personal data for the specific purposes that the investment adviser discloses in writing. The disclosure and consent can be obtained via the subscription documents completed by prospective fund investors, and the managed account agreement with an advisory client.
With respect to existing clients who are individuals in the EU, investment advisers should consider obtaining affirmative consents or, in lieu of obtaining such consents, the adviser may seek to rely on another method of legal authority (such as the performance of a contract or legitimate interests). As noted above, obtaining and documenting consent is not the only way to obtain legal authority to process the personal data of individuals in the EU, but will typically be the most prudent way to do so, as it is easier to demonstrate that consent was obtained than to argue whether another legal basis such as “legitimate interests” exists.
D. What Other Rights Do Individuals in the EU Have Under the GDPR?
The GDPR guarantees other rights to individuals in the EU with respect to their personal data, including:
- The right to be notified regarding how the investment adviser will use their personal data (such notice must be clear and specific; it cannot be vague and replete with legalese);
- The right to access their personal data;
- The ability to instruct an entity to erase their personal data (a.k.a., the “right to be forgotten”);
- The ability to instruct an investment adviser to correct inaccurate personal data;
- The ability to restrict an investment adviser’s processing of personal data in certain circumstances;
- The ability to move their personal data from one organization to another in certain circumstances; and
- The right to be notified of data breaches in most situations.
E. Third Party Vendors
When an investment adviser uses the services of a third party (such as an administrator) to process the personal data of individuals in the EU, the GDPR requires that investment adviser to use only those third parties who have implemented appropriate technical and organizational measures to satisfy the requirements of the GDPR. An investment adviser, therefore, must conduct appropriate due diligence on the vendors that it selects to process personal data on its behalf.
The GDPR also requires that the processing of personal data by a third party be governed by a contract or other legal act under EU or national law. Among other things, that contract or other legal act must provide that the third party will:
- Process personal data only in accordance with documented instructions from the investment adviser;
- Commit to confidentiality;
- Implement appropriate technical and organizational measures to protect the security of the personal data it processes for the investment adviser;
- Not engage another entity to process the personal data, without prior written authorization of the investment adviser;
- Assist the investment adviser in complying with its obligation to respond to individuals’ requests to exercise their rights under the GDPR;
- Assist the investment adviser in complying with certain other obligations under the GDPR (such as data breach notification);
- Delete or return all the personal data to the investment adviser once the third party no longer is providing services, and delete existing copies of such data unless applicable law requires the storage of the personal data; and
- Allow for, and contribute to, audits by the investment adviser.
F. Data Protection Officer or Representative
Investment advisers should determine whether they need to hire or retain a Data Protection Officer (“DPO”). DPOs have specific enumerated rights and duties under the GDPR, including being the point of contact for EU regulators and EU individuals concerning the organization’s compliance with the GDPR. The types of entities listed below are required to hire or otherwise retain a DPO. (It would likely not be typical for an investment adviser to need a DPO).
- Entities whose core activities involve “regular and systematic monitoring of data subjects on a large scale,” or
- Entities that conduct large-scale processing of special categories of personal data, such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, and the like.
Even where a DPO is not required, however, the GDPR requires organizations to designate in writing a representative to be in charge of ensuring compliance with the GDPR. Such representative would be the point of contact for EU regulators and EU individuals concerning the organization’s compliance with the regulation. Furthermore, the text of the GDPR provides that the representative must be established in an EU country in which one or more individuals whose personal data the adviser processes reside. The data representative can be an employee, or the adviser may hire a company in the EU to act as the representative.
G. How Can Personal Data Legally Be Transferred Out of the EU?
An investment adviser must have a valid legal basis to transfer personal data from the EU to a country outside the EU. Currently, three methods are available to legally transfer personal data from the EU to the United States:
- The EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework: Self-certification under either framework is voluntary. However, once an investment adviser commits to comply with either framework, that commitment becomes enforceable under U.S. law.
- Binding Corporate Rules: Binding corporate rules are internal rules that would be established by the investment adviser to address data transfers out of the EU. Such rules enable multinational investment advisers to transfer personal data internationally within the same corporate group to countries that do not provide an adequate level of data protection. The GDPR provides a lengthy list of subjects that an investment adviser’s binding corporate rules must address, and an investment adviser’s draft binding corporate rules must be approved by data privacy regulators in the EU countries in which it operates.
- Model Contractual Clauses: These are specific standard clauses to be included within contracts (or as stand-alone contracts) between entities or individuals in the EU and entities outside the EU. If parties modify the language in those model clauses, however, there is a risk that regulators will determine that the modified language is insufficient to grant legal protection to the transfers.
H. What Steps Should Investment Advisers Consider Taking to Prepare for GDPR’s Implementation?
Investment advisers should consider taking the following steps to prepare for GDPR’s implementation:
- Determine whether you are subject to the GDPR. As noted above, investment advisers who either have a physical presence in the EU, have employees in the EU or have investors or clients in the EU (even without a physical presence in the EU) will most likely be subject to the GDPR.
- Determine what personal data you currently process, and determine what personal data must be processed for your legitimate business purposes. Investment advisers should not process more personal data than is necessary to operate their normal business activities.
- Determine where personal data is stored, and who has access to such data. Only personnel within the firm who need to access the personal data should be able to do so.
- Review subscription agreements, prospectus disclosures, data protection policies, investor onboarding documentation and other documents to address compliance with the GDPR. Disclosures regarding personal data should be in clear and plain language, and ideally would cover at least the following topics:
- The types of personal data being collected;
- The manner in which personal data may be collected, used, stored, transferred, erased or otherwise processed;
- Disclosure of the third parties to whom the investment adviser might transfer or otherwise disclose personal data;
- The length of time personal data will be retained (or alternatively, the criteria used to determine how long personal data will be retained);
- Description of individuals’ data protection rights under the GDPR; and
- How individuals can withdraw their consent to the processing of their personal data;
- Determine whether you need to obtain consent from individuals in the EU to process their personal data, and maintain a record of all consents obtained. Such consent can be obtained from new investors in a fund in the subscription documents completed by such investors, and from new clients as part of their managed account agreement with the investment adviser. With respect to existing clients and investors, any necessary consents can be obtained via a new communication (operating as a standalone consent or an amendment to a current agreement). The request for consent must be “clearly distinguishable” from the other matters addressed in those agreements. Moreover, consent can be withdrawn at any time.
- If you have any employees in the EU, review relevant employment agreements and employee handbooks.
- Determine whether you have the organizational and technological means in place to handle requests from individuals in the EU regarding their personal data in a timely manner (typically within one month).
- Update your data breach incident response plan as necessary. The GDPR provides that where feasible, the applicable data protection authority should be notified within 72 hours after you have become aware of a data breach (unless an exception applies). Moreover, in many cases you must also notify affected individuals “without undue delay.”
- Determine whether you transfer personal data to any third parties for processing (e.g., to service providers such as administrators, paying agents and distributors). Conduct appropriate diligence on each third party’s privacy and security measures, and put contracts in place with each of those third parties that meet the GDPR’s requirements.
- Ensure that your employees are aware of the GDPR’s requirements that relate to their normal duties, and train employees as necessary.
- If you transfer personal data from the EU to countries outside the EU, establish a mechanism to do so legally (See Section G., above).
- Hire or engage a DPO (if required) or a representative to handle compliance with the GDPR.
- Review existing insurance coverage to determine whether it is sufficient in light of the GDPR.
I. What Are the Potential Penalties for Non-Compliance With the GDPR?
Regulators can assess steep penalties for non-compliance with GDPR. Lower tier violations may result in penalties of the greater of €10 million or 2% of the entity’s global gross revenue for the preceding financial year. Upper tier violations may result in penalties of the greater of €20 million or 4% of the entity's global gross revenue for the preceding financial year.
For more information on the topic discussed, contact Michael Riela at firstname.lastname@example.org or (212) 508-6773 or Beth Smigel at email@example.com or(212) 702-3176, or your usual contact at Tannenbaum Helpern.
About Tannenbaum Helpern’s Cybersecurity and Data Privacy Practice
Tannenbaum Helpern’s Cybersecurity and Data Privacy practice regularly advises investment advisers and other types of clients in managing and responding to the ever-evolving data privacy and cybersecurity landscape. We provide the following types of services:
- Prevention: Helping clients develop proactive procedures and policies designed to mitigate their risk of data security breaches, and to help them be prepared to deal with security breaches efficiently when they inevitably do occur;
- Compliance: Helping clients comply with applicable privacy and security laws and regulations, including the GDPR and the SEC’s cybersecurity rules and guidance;
- Risk Reduction: Negotiating contractual protections with vendors and contractors who have access to clients’ and their customers’ information, conducting employee training to recognize and avoid security threats, and directing clients in how to obtain appropriate cybersecurity insurance protection;
- Response: Responding to data breach incidents when they occur, including implementing breach response and notification plans as required by applicable law, and liaising with law enforcement and other immediate responders such as insurance companies, forensic experts, technical consultants, and public relations professionals; and
- Dispute Resolution: Defending clients in connection with any disputes and legal claims that arise from cyber breaches.
The effective management of cyber risk often requires input from insurance professionals, information technology experts, forensics experts, public relations experts and others. Our Cybersecurity and Data Privacy practice can connect you with qualified professionals in these fields.
 Our November 2017 BulletPoint memo titled General Data Protection Regulation Affects Investment Advisers with EU Clientele provides a general overview of how the GDPR affects U.S.-based investment advisers who have clients in the EU.
 The applicability of the GDPR does not depend on an individual’s citizenship or residency. For example, the GDPR applies to the personal data of U.S. citizens who are physically present in the EU.
Courts in the EU may later determine that the model contractual clauses will no longer be a valid method to transfer personal data outside the EU.
For more information on the topic discussed, contact:
BulletPoint® is a newsletter of Tannenbaum Helpern Syracuse & Hirschtritt LLP’s Investment Management practice. It is an alert covering recent regulatory and tax developments impacting the financial services industry. To subscribe for the newsletter, send email to firstname.lastname@example.org.