Privacy Laws: The New Normal

With the recent surge in privacy laws, fund managers question if they need to be compliant and how these new laws may affect them. What do fund managers need to consider about the information they collect from their investors and how they market to all investors?

With the implementation of the General Data Protection Regulation (“GDPR”) in 2018 and the California Consumer Privacy Act (“CCPA”) now in effect on January 1, 2020, compliance with privacy regulations have become paramount to mitigating business risk. Despite attempts by the Government Accountability Office, there is no uniform federal regulation. Unfortunately, this could lead to 50 separate state level laws, making adherence all the more complicated and costly. Some of the many factors to be considered as privacy laws come into effect are: who will be protected, what will be protected, who will be required to comply, and what, if any, data security requirements by the state will be imposed. It is essential for fund managers to understand how these regulations affects their data operations and fund marketing.

These laws focus on Personal Identity Information (PII) which is any information relating to an identifiable person. This includes full name, personal identification numbers (drivers license, passport number) biometric records (finger prints, voice prints) credit card and financial account numbers, date of birth, telephone numbers, street address, zip code, email address, digital identifiers, demographic information, medical information, religious affiliation, political affiliation, and test scores.

The requirements to adhere to the privacy laws are complicated and tedious. Even if GDPR and CCPA do not directly apply to your firm, it would be advantageous to be prepared for the “new normal” that is the impending wave of privacy laws.

  • Fund managers need to assess their technology, cybersecurity, IT infrastructure, update their data retention and online privacy policies, compliance programs, and internal audit functions.
  • Fund managers need to evaluate how they will respond to requests for disclosure, right to deletion, right to rectification, data breach notifications, and the right to opt out of sale of information among many other rights granted to the protected.

All fund managers are legally required to:

  • Observe any applicable legal restrictions on collection and use of PII
  • Obtain appropriate consents for data collection and for marketing uses (opt-in/opt-out)
  • Exercise appropriate diligence when selecting vendors and appropriate oversight during the relationship with the vendor
  • Ensure vendor contracts include appropriate data ownership, data use, data security, cybersecurity insurance and indemnification clauses
  • Notify individuals in the event of a security breach that compromises any PII

It’s more important then ever for a fund manager to ensure investor privacy. Due diligence in how your organization collects PPI, how it processes it, where it maintains it and how safe the data is stored under the current processes and procedures. Accountability is important at all levels and having a strong cybersecurity and data privacy posture is so important.

Between CCPA, the possibility of other state legislation in the works, GDPR authorities ramping up activity, and the SEC taking new focus, fund managers need to have data privacy compliance at the top of its to-do list.


Mainstream Fund Services, Inc is a full-service fund administration firm dedicated to partnering with their clients to provide accurate, timely and comprehensive accounting services to the financial services industry. Mainstream’s highly professional and seasoned associates provide world class service, transparency and oversight along with independent data verification. Cutting edge technology is fully automated, highly secure, flexible and provides a cost-effective level of reliability that meets the specific needs of sophisticated investors. Mainstream clients keep pace with industry change – from Fund Accounting to Regulatory Reporting – via our heavy investment in technology platforms.

 

For more information contact: Michelle Diller – MDiller@MainstreamGroup.com