The EU General Data Protection Regulation (“GDPR”) came into force on 25 May 2018. The Irish supervisory authority for GDPR is the Data Protection Commissioner (“DPC”). GDPR has a significant impact on the Irish funds industry, including funds, fund managers and fund service providers. The legislation requires all parties to consider and demonstrate their compliance with GDPR and introduces severe fines of up to the larger of €20 million or 4% of annual turnover for breaches.
You can download a pdf version of our GDPR Compliance Service brochure
Application to Funds and Management Companies
GDPR applies to any organisation that handles the personal data of EU citizens. This brings Irish funds and management companies into scope where they control and are responsible for information, such as the personal data of directors and of shareholders. GDPR creates a distinction between data controllers (who determine the purpose and means of processing) and data processors (who process personal data on behalf of data controllers). Funds and management companies are primarily data controllers, but may act as data processors in some circumstances.
The KBA GDPR Service
KBA provides a dedicated GDPR compliance service to funds and management companies. The service is provided as a single seamless solution, but can be bifurcated as follows, with a brief description of each part of the service below:
Initial GDPR Compliance Analysis
- KBA will take an inventory of personal data held by the fund or management company and conduct a data mapping exercise. KBA will use this inventory to create a data processing register.
- KBA will determine, for each type of personal data collected and processed, the legal justification relied upon to control and process such data. If consent is relied on KBA will ensure that such consent is properly obtained and that data subjects are advised on how they can withdraw consent.
- KBA will review current data protection privacy notices, if any, for compliance with GDPR and draft new privacy notices if required to meet the increased information rights of individuals under GDPR. KBA will also advise on how and when privacy notices should be provided to investors and directors.
- KBA will draft a Data Protection Policy that sets out a framework detailing how the fund or management company will ensure compliance with GDPR going forward. Data Protection Policies can serve as a useful guide for ensuring compliance and as a tool to assist in demonstrating compliance in the case of a GDPR audit by the DPC.
Ongoing GDPR Compliance Support
- KBA will provide a Data Protection Compliance Consultant (“DPCC”). Appointing a DPCC is recommended so that the fund or management company has a designated individual whose role is to ensure compliance with GDPR.
- A KBA provided DPCC will carry out all the activities listed above under “Initial GDPR Compliance Analysis”, as well as the following ongoing activities:
- Reporting data breaches to the DPC within 72 hours of becoming aware of such breaches
- Obtaining confirmations from service providers to the fund or management company of compliance with GDPR
- Carrying out data privacy impact assessments (DPIAs) where processors or processing activities change
- Addressing any data subject access requests (DSARs) to rectify inaccurate personal data, erase personal data, restrict processing of personal data or receive copies of personal data being held within 1 month of receipt of the request
- Reporting quarterly to the Board of the fund or management company on the following issues:
- Overall compliance with GDPR
- The occurrence of data protection breaches, and whether they were reported to the DPC
- Results of any DPIAs carried out
- Annual confirmation from service providers to the fund or management company that they have adequate policies and procedures in place to identify and report data breaches
- Records of any DSARs received from data subjects and information on how they were addressed.
The KBA Advantage
KBA’s GDPR compliance service is a practical and cost effective solution offered by a team of dedicated professionals with experience in regulatory compliance.