Data Protection in the UK post Brexit

23rd June 2020

In our hyper-digitised society, you can’t take five steps without data interacting with your life in one way or another, from using a digital map to get around, using a step-counter app to keep fit, or getting an email from a colleague. Fund management and asset management are no different, but contrary to when we’re walking down the street in our everyday lives, businesses are more likely to be data controllers than data subjects. Two years ago, General Data Protection Regulation 2016/679 (“GDPR”), the European Union’s rigorous data protection law, came into force with the intention of equalising the data protection regulation across all member states. Of course, as the United Kingdom will be leaving the EU, many are asking about the fate of GDPR and data protection in the UK when the number of EU member states drops from 28 to 27.

Broadly speaking, GDPR defines personal data as any data that could identify a living person. Using this definition, it is clear that fund and asset management are exposed. Investors and customers give managers details of their identity, their residence, their source of wealth and their payment details among other information. Not only is this data collected but it is often passed on, for example to a third-party adviser or service provider. Personal data runs at the very core of fund and asset management and therefore businesses in these industries need to be particularly careful about how they process and approach data protection.

As recently as February, Google sparked controversy for their apparent plan to move British user data to the US, meaning that Brits would lose EU GDPR protections. Google has assured its users that their approach to data protection remained unchanged and that consumers were still protected. However, this example keenly shows the potential impact and uncertainty surrounding this issue. There is a lack of clarity around the extent to which Brexit will impact data protection, with some worrying that they will lose the protections of GDPR if the UK fails to maintain adequacy. There is also growing speculation that Brexit talks are reaching a deadlock and that productive discussions might be made more difficult, potentially having wide reaching impacts on legislative equalisation and therefore data protection. Other experts however, believe that the UK will quietly keep to GDPR and follow the EU’s guidance on data protection, although they may be loath to make it public. The Information Commissioner's Office (“ICO”), the UK’s independent data protection supervisory body, has explained that, at least in the short term, GDPR will be incorporated into UK law after the transition period ends. The ICO’s advice warns companies to be careful that;

  • They clearly establish the extent of their activity with data subjects in the union, where companies offering goods and services to EEA individuals, monitoring the behaviour of EEA individuals or operating in Europe will need to directly comply with GDPR;
  • They may need a European Representative after the transition period finishes; and
  • They may need to incorporate certain safeguards to ensure data can still flow into the UK from the EU and vice versa.

See the full guidance here.

Regardless of whether the UK will continue to enforce GDPR directly, the scope of GDPR is such that many data controllers will find themselves indirectly needing to comply. Article 3 of the legislation explains that it does not matter if data processing occurs in the European Union or not as long as the data subject is in the Union or the behaviour takes place in the Union. The scope of the regulation is so broad that all companies need to be careful that they are compliant and take care to assess accurately where a data subject is and where, if relevant, the data processor is based, especially when using a third party data processor.

The fines for non-compliance with GDPR are punishing at around 4% of a business’ global turnover for serious offences. The key take away is that, in the short term, there is unlikely to be any change to the obligations of businesses with regards to data protection so companies should ensure that they comply where necessary.

 If at any point you are unsure about whether or not you need register with the ICO to hold a data protection certificate please complete the short ICO self-assessment questionnaire here.

Langham Hall is an award-winning provider of Fund Administration, Depositary and AIFMD services to global fund managers. To hear more about how we can help, whatever the requirements, please get in touch with a member of our team.