WEBINAR TRANSCRIPT
Nick Donato: Hey, folks, hello. Welcome to today’s presentation, where we’ll be discussing everybody’s favorite incoming regulation, the GDPR, or the general data protection regulation, which of course is Europe’s incoming law to harmonize data protection across the continent. And GDPR is, I’m sure something that you’ve been hearing a lot about as we approach the May 25th deadline date, which is about two months away now, but much of the literature and resources that you’re probably finding online and everywhere else, isn’t really geared for a private funds audience. And so what we want do here today is talk about how to interpret GDPR’s provisions, and all of the new requirements from the perspective of a private fund manager.
And to do that Navatar has recruited two of the industry’s leading thinkers on GDPR; that is Clifford Chance partner, Daniel Silver, and Corgentum Consulting managing partner, Jason Scharfman. I’ll introduce you to both of them in just a bit, but before that, allow me to introduce myself, and perform a little housekeeping. I’m Nick Donato, and I’m an industry strategist here at Navatar, which is a cloud software provider for the private funds industry, and that includes platforms to run your business; if you’re in private equity, venture capital, hedge funds, real estate and more. Should you have any questions during today’s presentation, by all means send them our way. You should have a “go to webinar” tool that should be in front of your screen there. What I’ve done is I’ve just reserved time at the end to field them. And as a FYI because this comes up a lot, we’ll make sure to send out a recording of today’s broadcast. So just look for that in your inbox in the coming days.
So let me give you the quick background on Navatar and how we’re connected to your industry. Navatar is, by far, considered the premier platform to do things like run your fundraises, manage your LP relationships, and source and manage deals. Now, in the old days, you, of course, had to do that off of a clunky Excel sheet or maybe a Word document. But Navatar is a smart platform that allows your partners and your associates to collaborate together. And we offer proprietary workflows to make sure that you never do things like leave an important LP ignored for too long, or miss out on a deal that maybe matches your investment criteria. We have over 600 customers across 35 countries and growing. We are built on top of Salesforce and Box. What that means is that we’ve taken the two most trusted names in cloud security and really just configured them for the private funds model, meaning that just everything comes ready outside of the box.
So that being said, I’m going to ask our two distinguished speakers to introduce themselves, and give the background on them and their firms. So Dan, let’s start with you. And then we’ll move on to Jason.
Dan Silver: Sure. Thanks very much, Nick. My name is Dan Silver. I’m a partner with Clifford Chance, based in the New York office. Clifford Chance is a global law firm with offices throughout Europe, Asia, and here in the US. I’m a partner in litigation and dispute resolution group and focus on data security and cybersecurity. I serve as co-chair of the cybersecurity and data privacy group here in Clifford Chance, and counsel clients on a wide range of cybersecurity related issues, everything from data breaches to regulatory compliance, to follow on private litigation.
Nick Donato: Thanks Dan. And Jason?
Jason Scharfman: Yeah. Hi, everybody. My name’s Jason Scharfman. I’m the managing partner of Corgentum Consulting in the New York office, and we are a consulting firm that specializes in operational due diligence reviews on behalf of LPs in private funds. The focus of our practice, reviewing a lot of technology compliance and cybersecurity risks for LPs considering investing into a fund, and then post investment, ongoing… So, certainly, GDPR falls within that bandwidth, and we’ve seen a lot of good questions from LPs on this, as well as fund managers, that we are happy to talk about it today.
Nick Donato: Thanks to both. So the way I want to start this conversation is by, first, saying that if you’re a private fund manager out there and you’re feeling worried about your firm’s progress in GDPR, you should at least maybe take some comfort in knowing that you’re not alone. From what I’ve been seeing and hearing is that much of the private funds industry is still on a little bit of a wait and see mode to see how GDPR compliance will shake out. And even though that that May 25th deadline date is looming, I would encourage you all to see this as a marathon that requires, let’s say, some careful pacing. Nonetheless, it’s important to get a handle on your GDPR compliance planning, and as I alluded to earlier, that can be tough knowing that much of the literature out there isn’t really geared for our industry.
So, for example, you may be feeling confused about how to delete data at LPs request, when a security’s regular is telling you otherwise, or for example, what types of insurances you should receive from your third-party vendors. And on that point, I’m going to ask Navatar’s COO, Ketan Khandkar to speak to us a little bit later on on how Navatar is tackling that. So with all that being said, we’ll do our best to angle this conversation from the perspective of what a GP should care about. So Dan, let’s start with you, and to kick things off, let’s discuss who in our industry is even impacted by the GDPR?
Dan Silver: Sure. And let me say, Nick, I agree with you in terms of what I’ve heard from clients and audiences I’ve spoken to. I think that, particularly, US-based private fund managers are sort of still trying to wrap their heads around how this regulation will apply to them. So, I guess, just to start at the beginning by defining a couple of key terms that will come up throughout the course of this presentation, the GDPR really categorizes all entities in terms of two different categories; data processors and data controllers. And most fund managers, the ones who are impacted by GDPR, will be characterized as data controllers. And a data controller, for these purposes, is really just any entity that collects data, personal data, and uses it for any commercial purpose. And personal data is defined very, very broadly. So it’s really any information that could be used to identify a human being; even a name, a date of birth, an address. It’s a broader set of identifiers than would typically be considered PII, or personal identifying information under existing US law. So that’s what a data controller is, and as I said, most fund managers will fall into that category. We’ll talk a little bit more about how you’ll be captured by GDPR in a moment.
The other important category is a data processor, and those are entities that do something with personal data in connection with providing a service to a data controller. So the best example of that would be your fund administrators who are doing AML and KYC types of reviews. Those would clearly be data processors for these purposes. And they have certain obligations under GDPR. So, I guess, having said that, turning quickly to how and when does GDPR apply, particularly, to a fund manager that’s based in the US or outside the EU, it can apply in one of a few different ways. First of all, if you have a “establishment” in the EU, and that could be, obviously, an EU-registered fund, a fund manager would, of course, count as an establishment, or even a representative office of a US-based manager would count as an establishment. So if you have a kind of brick and mortar presence in the EU, then you are very likely going to be covered by GDPR. If you don’t have a brick and mortar presence in the EU, then you still may be covered under one of two different categories.
The first is if you are “offering goods or services” into the EU. And so that has to be some sort of intentional systematic marketing to EU-based investors; could be individual investors or institutional investors, that is going to render you subject to the GDPR. And that’s, I think, probably the most important category, in the sense there’s a lot of US-based fund managers who don’t have that brick and mortar presence, but will be captured by that offering goods or services prompt.
And then lastly, and this is probably a little bit less applicable to most of you listening today, if you’re monitoring the behavior of EU residents, then that can also render you subject to GDPR, even if you don’t fall within one of the other two categories. And monitoring behavior could arise, for example, in the context of alternative data harvesting. So if you’re doing something with alternative data, and that data includes personal information of EU citizens that could, at least potentially, qualify as monitoring for purposes of GDPR. So those are sort of the broad categories in terms of who is impacted.
Nick Donato: And then, Jason, can you speak to that same point we alluded to earlier about just how the different asset classes, how ready they’re feeling about GDPR?
Jason Scharfman: Yeah, I agree with both your comments. Definitely, anytime you have a new regulation, such as this, and particularly with GDPR because it sort of bridges the gap between technology and legal, the feedback that we get from all the managers we talk to is that… I wouldn’t say they’re behind the curve, but exactly as you said, sort of a wait and see approach. Nobody wants to be the first one sticking their neck out there, declaring, “This is how we’re going to do it.”
So it’s kind of a cautious and slow approach in terms of implementing the solution. I would say, certainly, people who have direct offices in the EU, so a hedge fund for example, who is based in New York, but has a research or a marketing office in the UK, for example, is definitely ahead of the curve, based on what we’ve seen in the market, as opposed to an entirely US-based private equity firm that just raises capital in the EU. That type of thing. So, certainly, I would say a physical presence is one of the things that drives how far along different managers are in the process.
The next thing I would say also is just notice how well-resourced managers are. So if you look at hedge funds, we’ve seen, obviously, the larger, better resource funds taking a more proactive approach in these types of areas because they have the resources to. Whereas smaller funds, even though they might be raising more capital in Europe than, let’s say, a larger fund, on a percentage basis, they’re a little more behind the curve. But in general, if I had to rank it, I would say hedge funds are sort of leading the pack with compliance, seconded by private equity and everyone else. So that’s sort of the general approach that we’re seeing.
Nick Donato: And then, Jason, a quick follow-up question to that, I know that hedge fund managers, private equity managers, the entire industry, they’re all working with lawyers, they’re all trying to determine just how impacted by GDPR they are. Whatever conclusion they reach, is there a best practice in terms of how they share that with LPs? I know they work with LPs, are they asking about this? Is it a simple declaration that, “Yes, we’re on top of it,” or is it something else?
Jason Scharfman: Yeah. I would say it’s a little bit of a balancing act because the general perception among a lot of managers is they don’t want to raise certain types of issues with LPs that they don’t have to, simply because they don’t want to make them nervous, in terms of another thing that they have to comply with, or another potential risk area that can expose the manager to regulatory action. So I wouldn’t say that they’re proactively waving the flag. If investors are asking about it, some managers, I would say, are better coordinated in their response than others, right? So some have started amending their existing policies, compliance policies, or technology policies to talk about how they’re going to approach this. Others have just put together one or two paragraphs saying, “Yes, we know what GDPR is, and we have a plan to comply with it,” sort of an off-the-shelf response.
And that’s useful, both to get the manager, themselves, within their firm, to sort of coordinate their thinking in terms of how they’re going to approach this, and then they can share that with their employees. And, obviously, the added benefit is they have something for investors when they ask about it. But we’ve also come across managers who just sort of say, “Wait and see. Yeah, I might be affected. I’ll talk to my lawyers if the issue comes up.” And that’s, certainly, at this point in the game, not acceptable for LPs, and it just gives them another sort of reason to say, “Okay. Scratch my head. What else? Is this manager really taking this seriously enough?”
Nick Donato: Good points. And so, Dan, earlier you mentioned about if you have a brick and mortar establishment anywhere in Europe, you’re going to be impacted by GDPR, but that there are still certain things that could hook-in a non-European manager, and that’s with respect to marketing. So I want to move on to that and hear your thoughts.
Dan Silver: Sure, and that’s, I think, a lot of the questions that I’ve gotten over the past couple of months have been focused on exactly that issue, “What kinds of fundraising or marketing activities will make me subject to GDPR if I don’t have any sort of physical presence in the EU?” And I think it’s obviously going to be a context-specific kind of analysis for any particular manager.
And, I think, generally speaking, what we’ve been telling clients is, “Look, if you happen to have a handful of EU investors who have come to the fund in various ways, but not through any sort of organized marketing efforts, then you’re probably going to be okay.” And so one specific question we’ve gotten is, “If we relied on the reverse solicitation exemption to sign up EU-based LPs previously, is that going to sort of also make us exempt from GDPR?” And so I guess the answer is, “Not necessarily, but maybe,” is probably the best answer we can get. Reverse solicitation is not a defined term within the GDPR.
So there’s no sort of specific reference to that particular concept. What there is, as I noted earlier, just the general concept that if you are intentionally offering goods or services into the EU, then you are subject to GDPR. And so, I think that, again, it’s going to take sort of an analysis of what kinds of marketing activity are happening? Are there regular in-person meetings occurring in the EU? Are there EU-based intermediaries that are being used to raise capital? What percentage of LPs are in the EU? Is it a significant proportion? So all those kinds of questions will be relevant to this analysis of, “Are you offering goods or services into the EU?”
I guess, one other thing I would mention is that I’ve also had a lot of questions about retro-activity, and so questions like, “Well, if we used to do organized marketing into the EU in previous years, but we’ve stopped it, we’re not doing it currently and we don’t intend to do it after May 25th, which is when GDPR becomes applicable, then how does that apply?” And, thankfully, the GDPR is not retroactive in the sense that it won’t look back to capture past activities. The analysis should really be made on a going-forward basis in terms of what’s the state of play going to be on May 25th, and in the coming months and years.
One caveat that I would note in that regard, though, is that if you perform that analysis and you conclude, “Okay. I am going to be subject to GDPR going forward, whether it’s through a physical establishment or offering goods or services,” then the GDPR is retroactive in the sense that you’ve got to look at all your existing agreements and policies to make sure that you are GDPR-compliant, even with respect to investors who existed before May 25th. So it’s not just something you have to worry about when you deal with new investors. It’s something that will apply to any EU data that you hold after that date.
Nick Donato: And then, Jason, at the micro level, we have a lot of fund managers concerned about what changes they need to make to their website, or what changes they need to make to their email behavior, let’s call it. Insights on that?
Jason Scharfman: Yeah. I think the first thing that they have to do is… And this goes to just having a fundamental understanding of the requirements of the law, and that’s where working with their attorneys can give them that sort of outline, to make sure that they understand what the requirements are. Then, once that’s in place, they can apply that to their entire business. So that would be certainly be on the website. If they are collecting investor data, whether that be solicitations or requests for further information, but more likely that they’re distributing investor data, and a lot of times that will either to funnel through a third party provider, such as an administrator’s website, or there’s a number of off-the-shelf vendors, or data rooms that they use to transfer this data.
So it’s, I would say, a collaborated effort, and I know we sort of hinted at this throughout the call already, but a collaborated effort, not just for example, saying the manager’s own website, but the entire universe of ways they’re interacting with investors. And the other thing is, whether it be communications with investors or disclosures that they make in other ways, through email, or that they collect information through email, just being conscious and sort of training the employees of the firm to say, “Okay, there’s this new regulation out there. It primarily affects how you collect and store and notify people about their personal data on a high level. You should all be aware of it, and be careful how you collect that data and what to do after you get it, and then apply that across the mediums.” That’s what I would say.
Nick Donato: Right. And that, of course, too is an ongoing compliance exercise. Moving on to the scary elements of the GDPR, I want to talk about what happens if you’re in violation of the regulation. And so, Dan, that’s an easy one there for you to kick us off with.
Dan Silver: Sure. And this is what’s, obviously, been attracting a lot of attention and headlines. So the GDPR includes fairly stiff potential penalties for non-compliance, and those penalties can include monetary fines of up to 4% of global revenue for the entity that violates the GDPR.
There’s been a lot of speculation in terms of how stringently this is going to be enforced, particularly, with respect to non-EU-based entities, and that’s a difficult thing to predict. And I know that in the UK, for example, the Office of the Information Commissioner has historically been a relatively small agency. They’ve certainly committed to bulking up to have the ability and capability to enforce this new regulation. And just in the last few days, we’ve seen headlines from that agency conducting search warrants in connection with, for example, the Facebook scandal. So they’re certainly, at least outwardly professing that they’re going to do their best to enforce this regulation rigidly. And my hunch is they’ll probably start with some low-hanging fruit examples of enforcement cases before moving on to more granular violations of the regulation.
The other thing that I should just say in terms of breaches and potential penalties is that the GDPR includes a very tight 72-hour notification deadline for data breaches when those data breaches have essentially a material risk of harm to individuals. And so an entity that’s subject to GDPR, whether they’re based in the EU or not, is supposed to notify a privacy regulator in the EU within 72 hours of discovering a breach, essentially without any exception. You do have a little bit longer to notify the affected individuals. That must be done without undue delay, but my sense is they’ll be looking for pretty rapid notifications to individuals as well.
And so for those of you that have never, thankfully, had to deal with a data breach, a 72-hour timeframe is a really, really tight timeframe to have to make any notification, and it’s tighter than most of the existing requirements that are currently applicable in the US. So what we’ve been telling clients is the only way to really prepare for that is to make sure that you’ve done some practicing to have a sense of who would have to be involved and what kinds of steps have to be taken to be able to make a notification within that kind of tight deadline.
Nick Donato: And Jason, knowing that every private fund manager will have their own internal practices and policies around data management, can you still speak to some of the best practices that they should be taking on in light of what Dan had mentioned about things like obtaining consent and notifying an LP about a breach?
Jason Scharfman: Yeah. So if you look at the actual regulations, it’s just further highlighting the point that they’re a little bit more strict than some of the other laws in terms of the 72-hour turnaround time frame with consent. My understanding is that it has to be in plain language, and not full of complex legal term terminology. That’s sort of a user friendly emphasis in this law.
So not only do you have to follow the laws of getting consent, the regulations of getting consent, but you have to do it in the proper way. I think that what we see the general thinking on that is two-fold, right? People want to cover their bases, so making sure that their lawyers say, “Okay, this language is plain enough that you can use it to get consent,” but also just having a conversation with people, whether it’s sending them a separate one page or whatever it is, from fund managers to their clients that say, “Look, this happens, these are your rights. This is what this law means.” Managers that have been very proactive in GDPR, sort of taking steps in that regard, have been putting together these one-pagers when these types of questions come up that are helpful.
So that’s the first thing I would say, is understanding that you can’t just throw a disclaimer at the bottom of an email or at the bottom of a marketing document that’s highly technical, and just assume by default that you’re going to be covered. The other thing, as part of this, as Dan mentioned the 72-hour breach notification, but then there’s also these expanded rights to access data. So you have people… If you’re a private fund manager and I have LPs that are invested in the fund, under GDPR there’s expanded rights, in terms of telling people what the data is going to be utilized for and for what purpose. And once again, I think that facilitates the plain language elements of it.
And also, in terms of the consent, understanding that there’s portability concerns that the data can be portable, and then also erasure concerns. So my point is, I think a manager is doing himself a disservice if they say, “Oh, yeah. We’re just going to get informed consent, and we’ve checked the box in this requirement.” That’s not… It’s part of a puzzle of many different things that touch consent. It’s not just content in and of itself.
Dan Silver: Right. Just to add to that quickly, Nick, and I agree with what Jason was saying, one thing to keep in mind about consent; it is a bit tricky in terms of what qualifies as consent under GDPR. To back up a little bit, the reason we’re talking about consent is that, under GDPR, you have to have essentially a lawful basis for using the data that you’re collecting in the way you’re using it. And consent is one of those potential lawful bases to have. And as Jason was saying, consent under the GDPR is more onerous than it has been thought of previously, and it can’t be legalese, so to speak.
One thing that we’ve been telling people is that it may be actually better and easier to rely on one of the other enumerated bases that exist, other than consent to process data. So for example, there’s a separate prong that essentially is legitimate business purpose. And so if you’re, for example, collecting personal data from investors to meet your know your customer requirements under US AML law, that is likely going to be a legitimate business purpose for processing that data in that way, and you just need to be sure that you’ve documented the fact that you are using that data for that legitimate purpose, and that use is disclosed to the investors. So that’s just one example of a different way to fall within the GDPR’s requirements in terms of having a lawful basis. You don’t have to, necessarily, rely on consent for each and every use.
Nick Donato: Yeah, and these are all complex questions that create an easy segue to my next question because there’s one person, in particular, at the firm who is going to have to be ultimately responsible for these and that is the Data Protection Officer. So Dan, let’s stay with you in asking just what are the legal requirements of a DPO? What should they be aware of?
Dan Silver: Sure. So, I guess, let me first say that not every data controller will necessarily have to have a DPO under GDPR. So you’re required to have a DPO, a Data Protection Officer, if you are “engaging in the regular and systematic monitoring of data subjects on a large scale.” For private fund managers, that’s really going to depend on your size, the scale of your activities with respect to the EU, things of that nature. So it’s possible this requirement may not apply to you, even if you’re otherwise subject to the GDPR for one of the reasons we talked about earlier.
If you do have to have a DPO, and it may be useful to have a DPO or a DPO-like person, even if you don’t fit the definition of what I just said, then there are certain requirements under the GDPR as to what that particular person must do and must have the ability to do. So they must be independent. Sort of similar to how we think of a CCO role. They must have independence. They must have adequate resources and qualifications to perform their duties. They must have the ability to have direct access to senior management to escalate issues when necessary. And they, of course, monitor compliance with the GDPR and cooperate with any request for information that are submitted by data protection authorities. So those are the basic DPO requirements.
Nick Donato: And, Jason, we heard Dan, logically refer to the CCO as a natural candidate. Is there any concerns in assigning the CCO?
Jason Scharfman: Yeah. Definitely, I think there are logical correlations. I was just going to add another thing that we’ve seen people equate it to in practice is a MLRO, which is a Money Laundering Reporting Officer, which is a requirement of some funds as well, which in many cases could be the CCO. So I think Dan enumerated a number of really good similarities. One of the other things that we see that people… LPs and managers in the way that they think about it is that there’s a requirement that the DPO must report to the highest level of management, avoid conflicts of interest, have appropriate resources.
So I wouldn’t say that there’s anything wrong with having the CCO be designated as the DPO, but as with most of these things, there’s the titular concern, “Who’s having the title?” And then the sub-concern of who’s doing the work, right? So in many cases, you’ll have a deputy CCO, or a deputy Money Laundering Reporting Officer. And in a big, large, complicated firm, the CCO might be more of a quarterback, as opposed to doing the nuts and bolts of this type of work. So that’s one of the concerns that we see is this CCO is a busy person, and they’re not necessarily involved with all the minutiae. So having the appropriate resources, internally, whether that’s a deputy person who’s involved more in the day-to-day or a sub-committee that the CCO have then monitors, that could be focused on GDPR. Whatever approach they decide to take. The concern is less, “Who holds the title?” and more, “Is there appropriate oversight of this, with somebody who has enough time to really dedicate to managing this type of issue?”
Nick Donato: And they do have the option of delegating that to a third-party service provider if they wanted to. Is that correct, Jason?
Jason Scharfman: I believe so. Yeah. I believe that they can delegate it, but ultimately the responsibility still remains with the firm. So once again, just because they delegate… It’s sort of like an outsourced chief compliance officer, right? The manager is still responsible, even though they’ve delegated the responsibility. It’s not a risk assignment, I would say. It’s more of just an additional resource. There’s nothing wrong with that type of framework, by the way. But, certainly, regulators have criticized firms that just try to completely outsource that responsibility because they can’t.
Nick Donato: And speaking of third-party vendors, Dan, if you could give us some basics on what GPs should be thinking about when working with third-party vendors from a GDPR context.
Dan Silver: Sure. As I mentioned before, either you have data controllers, and most managers, if they are subject to GDPR, will be data controllers. And then you have your data processors, who are performing sort of service for the controller. And as a data controller, your obligation, essentially, is to ensure that your data processors are GDPR-compliant.
And so, typically, how that works is there will be a term in the service agreement that mandates GDPR-compliance. And one of the things that the data processor must commit to do is notify the data controller in the event of a data breach. Again, that notification must be very prompt so that the data controller can in turn fulfill its notification obligations to the government authorities and to any affected individuals. So, essentially what we’ve been telling clients is that they have to think about, “Okay, of all the various vendors out there, which ones are going to be processing, doing something with data that would include personal data of EU residents?”
And for each of those kinds of vendors, you have to take a look at the services agreement, take a look at their policies with respect to this issue, and make sure they have committed to be GDPR-compliant. And so that typically is any outsourcing of IT services, fund administrators, things of that nature. AML resources, if those are being outsourced, would fall within that requirement as well.
Nick Donato: And, Jason, we heard Dan mention… I’m sorry go ahead.
Jason Scharfman: I was just going to add a follow-up to that, on a related note, we’ve seen a lot of people being, not puzzled, but really challenged by the use of the cloud into that equation. So if I am a manager and I store data on a cloud, and also if I have a vendor and they store data on a cloud, there is additional considerations there, in terms of the privacy, security of the use of that cloud and potentially who has access to that data on the cloud. Because if I’m a fund administrator that… If I’m a hedge fund and I have an administrator, and the administrator is storing data on some other cloud, and there’s a breach of the cloud company, let’s call it, then that can affect the administrator and the funds. So that’s an overarching consideration of all of this, whether it be the manager or a vendor because the cloud is so popular.
Nick Donato: Right, and going back to Dan’s earlier point, you have your fund administrator, you may have an accountant, you may have an IT provider, which may be in the cloud, so how do you coordinate the compliance across those multiple third-party service providers?
Jason Scharfman: Yeah, and we’ve seen some funds that have really dug in to some of these issues is they’ll start talking to their administrator, let’s say, and the administrator will provide all this information about the cloud, but there’s further questions that needs to be researched, in many cases.
So that’s why starting this process early, rather than waiting until a breach occurs because of the particularly tight deadline and the large potential penalties, is certainly advisable because there’s not going to to be enough time to do this, and it will be after the fact. So that’s why you really have to kick the tires on these issues earlier.
Nick Donato: Final question, and this one, because we are two months away, what I’d like is for each of you to just provide some last minute items that should be on any GP’s checklist in the run up to the May 25th deadline. Dan, if we can start with you?
Dan Silver: Sure. Basically, what we’ve been doing when we’re contacted by a fund manager, or other client, at this stage is… I think the first step, obviously, is answering the question, “Am I going to be subject to GDPR?” And that can require some thought. And if the answer to that is, “Yes,” then what we would recommend is create a checklist. And I use the word checklist, but it’s really a bit more… There’s a bit more thought involved in that. It’s a tailored action item list that is tailored to the applicable manager and identifies the types of data that are being collected and the types of processors that are being used.
And then triaging, essentially, “Okay, now that we know where we think our obligations are going to lie, what are the most important things to make sure we have looked at and accomplished in advance of the May 25th deadline?”
And those types of things are going to be, among others, updating your disclosures to LPs, and any other EU-based individuals who you may deal with, and also reviewing and updating your services agreements. Those are probably going to be the most important things. There will be other things to think about as well, such as updating compliance manuals and staff training and incident response planning things, things of that nature, which are also important. But we’ve been typically helping clients triage in dealing with some of those items that I mentioned, first, as the most pressing issues.
Nick Donato: And Jason?
Jason Scharfman: Yeah, I think a few things. First of all, we’ve seen some people say, or attempt to buy time, saying, “Well, Brexit… In the UK, Brexit is still up in the air, and that might cause this to change within the UK.” The UK government sort of says, “No, this doesn’t… ”
The next thing I would say is, really, these type of considerations in personal data, what we’ve seen more sophisticated managers and, particularly, more sophisticated LPs focus in on, when they’re looking at these managers, they’re saying, “Okay, you have these considerations for this type of data, but this is just one of many laws that you’re complying with, or will have to comply with. So do you have really an intelligent, coordinated plan to approach these types of requirements so that you’re not duplicating the efforts across each log, restarting the wheel?”
So one of the elements of GDPR is sort of that systems have privacy, by design. So that’s just a function into… There’s other laws that have other requirements in terms of the personal data, security, etcetera, that managers may be subject to, and just understanding, really, “Are you doing this in a coordinated way?” And look, nobody expects a manager to get it perfect the first time, but the better managers we’ve seen have said, “Okay, this is just part of a bigger process. We need to understand how we’re going to coordinate this across the firm.” As opposed to, “Let’s just run as fast as we can to comply with GDPR, but we’re also doing that for five other laws or requirements.” So just coordination. I think that’s the big key.
Nick Donato: Thanks for that, Jason. So earlier, you had mentioned cloud security. So what I want to do now is bring in our COO, Ketan Khandkar, who is going to walk us through how Navatar, which is a cloud provider, has been approaching GDPR. And even if you’re not a Navatar client, I would encourage you to watch because as more fund managers migrate to the cloud, this is a good example of the types of assurances that you should be receiving from your provider. So with that being said, I’m going to turn things over to Ketan.
Ketan Khandkar: Thanks, Nick. And first, as all of you have already heard, there are several aspects to GDPR, and overall, the burden of managing the data, the burden of making sure the data is secure, but also the importance of utilizing or using the data per the guidelines.
So from that perspective, and you’ll see kind of a few of the items listed out here, and then, Jason had also mentioned cloud security as another issue because many of you may have systems that are cloud-based; they’re getting more and more popular. And for all the customers of Navatar who are on the webinar today, or as Nick said, anyone who’s looking at a cloud solution, I think these are some important aspects to consider.
From a Navatar platform perspective, we already have all these things in place to enable our customers to manage and kind of be compliant with GDPR. A big part of that is data security and the ability, again, of making sure that all the data that you have in whichever cloud provider that you’re using, and in this case, we’re talking, now, about Navatar, that the data is secure, it’s encrypted, even if there is a data breach, there are security protocols that will not allow people to actually access the data.
So it becomes even more important, now, when you’re making a decision in terms of any system to choose from, to make sure that the security is super-tight. And, again, from a Navatar platform perspective, I think that’s one aspect that we’re really proud of.
The second thing to be looking at will be, we talked about the fact that a lot of new policies have to be put in place. And that’s great, but in terms of execution of those policies, you also need a lot of tools to not just track the information, but also execute on some of the new policies and processes that you may want to put in place. And again, we’ve included a whole robust set of tools that allow you to, for example, track all the different types of consent, to be able to automate some of these policies so that, let’s say, if you had to remove all the personal data for an LP who requests you to do that, it doesn’t become too tedious or too manual an exercise. So there are lots of tools that are available that allow you to track consent, to allow you to move data securely from your system to somewhere else to be able to… Any requests that come in from LPs, to remove any data that you’re tracking.
These tools allow you to do that seamlessly, and again, reduce the risk of manually, or losing things in the oversight. So those are both important aspects; the security of the system, as well as the tools that are needed to manage and comply with the policies and procedures that you’re putting in. So those were a couple of things that I’d thought we’ll mention in terms of Navatar’s readiness, but also in general, if you’re looking at any cloud provider, the kinds of things that you may want to ask that cloud provider about their ability to support the GDPR processes here.
Nick Donato: Thank you, Ketan. And so we are going to turn things over to audience questions. And we have a few that have come in. And the first one is touching upon something that, Jason, you mentioned earlier around Brexit. They’re asking, “As a London-based fund manager, how does my GDPR-compliance considerations change in light of Brexit?” If you can touch upon that, again?
Jason Scharfman: Yeah. As I mentioned, that’s a concern, or to talk more frankly, a smokescreen that some people are saying, “Well, we’re not sure what’s going to happen with Brexit. That it might be overturned, or there might be some sort of compromise.” And the UK government has said, effectively, that they agree with the EU’s GDPR principles, and that they’re going to comply with it.
And that is consistent, I think, with the regulatory approach taken by the UK across a number of different areas in relation to the EU, in the sort of post-Brexit vote approach. So, I think that, certainly, the most conservative approach is to assume that they’re going to have the same requirements, and the other thing I would add is there’s a number of other regulations that are more UK-specific, such as there’s one called PRIIPS, and that has a number of other data requirements that could affect managers as well. So really the fact that a manager is based in the UK, I would argue that they, potentially, have even more requirements and a higher bar to meet for issues surrounding data security, privacy, consent, everything we talked about on this call, as opposed to a manager in Switzerland, for example, who might just be thinking about GDPR-type considerations.
Nick Donato: Yep. And a second question has come in. This one coming from a New York City-based hedge fund that regularly leverages alternative data. Dan, that’s something that I know that you had mentioned earlier. They’re wondering how much of a new compliance risk this represents, under GDPR?
Dan Silver: Sure. So as I mentioned earlier, one of the ways that a non-EU-based manager can be subjected to GDPR is through the monitoring of personal data of EU residents. And so if you’re using alternative data… If that data includes personal information about EU residents and, again, personal information is defined very broadly, so just the name, an email address, really any kind of a personal identifier, and you’re using that data in such a way that could be construed as monitoring and, unfortunately, there’s not a ton of existing guidance out there as to what monitoring means, then you very well may be subject to GPR as a result of that use of alternative data.
And once you’re subject, you’re subject. And so some thought should be given to how that data is being used, and whether there’s any way to tweak the way in which the data is being used prior to May 25th. If that’s the only basis upon which an entity is going to be regulated by GDPR, it may be worth changing the way that data is being used, rather than engaging in an entire GDPR-compliance undertaking.
Nick Donato: Right. We have time for one last question. And this one is arguably a difficult one. Someone’s saying how GDPR planning could sync with other incoming EU regulations like the EU eprivacy regulation, which we all understand is still in its planning stages, but how much should that play into current GDPR-compliance planning?
Jason Scharfman: Yeah, it’s Jason. I would just say that, exactly as we talked about through this call, it’s part of a matrix of a lot of different regulations, whether it be MIFD, AIFMD. Every manager has sort of a specific situation that they may or may not be covered by, but if you just look at the core, or sort of what’s the goal of this type of regulation, the managers take cybersecurity seriously, that they make sure their investors understand that they sort of have a number of different data rights, and whether next year there could be a different regulation. So whatever skin the regulation comes in, if the manager is adhering to good principles of maintaining data, protecting it, making sure people are informed about it, talking to their vendors, and understanding that that’s part of the ecosystem that they all have to comply with, the technicalities of complying will be much easier as opposed to just targeting their policy for a specific law.
And, ultimately, the LPs that are considering investing in the funds, or maintaining an investment in the fund, when they hire due diligence professionals like us to evaluate these things, we’re not looking just for a minimum compliance. So you work with a great law firm, they get you up to speed, you’re technically complying with all the nuts and bolts of the law. Minimum compliance is no longer good enough for a lot of LPs. So they want to see that a manager is proactive, that they’re addressing these issues, that they’re on top of it, and that they’re going above and beyond that. So that’s the kind of takeaway, I would say.
Nick Donato: Yeah. And so folks we weren’t able to get through all of your questions, but on this last slide here you can see contact details for all three of us. So I would encouraged you to reach out. And this, by the way is one of many webinars that Navatar has put together. We have additional ones on fundraising, on deal sourcing and deal management. I encourage you to check those out as well at www.navatargroup.com. So on behalf of Daniel Silver and Jason Scharfman, this is Nick Donato and enjoy the rest of your day.