The General Data Protection Regulation and the investment fund industry are not a natural match. GDPR has been drafted with the major players of the information society in mind, relying heavily on the processing of personal data as the foundation of their business. Data processing by the investment fund industry, however, is mainly driven by the strict need to manage investments and regulations (anti-money laundering rules, for instance).
This mismatch has led on one hand to a rather late realisation by the investment fund industry that GDPR required action and on the other hand to many practical difficulties in translating GDPR requirements to the complex world of investment funds and their service providers.
As a result, the different players are now racing towards the 25 May 2018 compliance goal at risk of losing sight of the exact requirements that need focus. It is unfortunately not sufficient to amend the prospectus with new standard language, add a clause or two to the subscription form and amend some service agreements. GDPR requires a more fundamental change in how data processing is looked at and in how to deal with a certain number of topics such as data security, data loss or data access requests, not only for future, but also existing data. This requires a change not only in documentation, but also in internal processes and awareness.
Fleshing out how exactly to deal with these challenges has been the objective of multiple GDPR working groups within the Association of the Luxembourg Fund Industry over the past few months and the amount of effort and dedication that has gone into the sessions is commendable. The outcome shall build a reference basis for the industry to drive their GDPR projects forward for the period leading up to 25 May and beyond.
It is, however, also important to underline that any positions will only reflect the opinion of the working groups based on the discussions that have taken place and the information at hand. It is likely that any recommendations will have to vary and evolve in the future, depending on the specific role each industry player assumes.
In that context, I also welcome the proactive approach taken by the Luxembourg data regulator, the CNPD, in providing information and guidance to the different industries, notably the financial sector.