Offshore funds established in the Cayman Islands and BVI could be forgiven for thinking that European laws on data protection don’t apply to them. That all changed recently though after the General Data Protection Regulation (GDPR) came into force in Europe last Friday, 25 May.
What’s GDPR and when can offshore funds be caught?
GDPR is broad in scope and expands Europe’s earlier data protection laws, with an overall aim of improving European individuals’ rights over their personal data and how it’s collected, stored and processed. GDPR applies to data controllers and data processors established in the European Union but can also apply to controllers/processors when they’re based outside the EU, depending on their activities.
Offshore funds may be classed as data controllers, if they’re processing data about EU individuals and the processing is related to offering goods or services to individuals in the EU. In practice, this means that offshore funds with EU investors or who actively market their fund to EU investors may be in scope. Unfortunately whether a fund is being offered or actively marketed to EU investors under GDPR isn’t the same as whether it’s being marketed under AIFMD, so funds need to review their activities and investors again to see if GDPR applies. GDPR can also apply to offshore funds where personal data’s being processed outside the EU by controllers/processors established in the EU.
Service providers to funds, including administrators and IT providers who hold personal data caught by GDPR, may also be classed as data processors. Specific GDPR requirements for arrangements between controllers and processors may then mean that a fund’s administration and outsourcing agreements need reviewing.
With potential penalties of Euro 20 million or 4% of annual global turnover, whichever’s greater, offshore funds that may be in scope of GDPR need to take it seriously.
Here at Harneys our Cyprus team has been busy advising funds and their service providers on whether they’re in scope and if so what they have to do to make sure they’re compliant, with a handy flowchart as the starting point.
The detailed impact of GDPR on offshore funds in practice is likely to be a discussion point for the industry for months to come, despite it coming into force last week, with one commentator remarking that the legislation’s “woollier than a row of sheep”. Here in Europe there are many people who are simply relieved that their inboxes have stopped being swamped with updated privacy policies, many from companies they can barely remember being in contact with in the first place…