Fund Managers in Nigeria will have some level of exposure to the new European regulation on data privacy, commonly referred to as, the General Data Protection Regulation (GDPR), which came into legal effect in each of the European Union Member States (“EU”) on 25 May, 2018. The GDPR is the EU legislation that is intended to protect the “personal data” of natural persons in the EU. The GDPR is a substantial update on the current data protection regime and replaces the current rules governing the collection, storage and processing of personal data.
What is the Level of Exposure that Nigerian Fund Managers Have to the GDPR?
Nigerian Fund Managers will have some exposure to the GDPR, in the following circumstances:
The Nigerian international remittance market is a USD22billion market and growing. It is increasingly common for fund managers in frontier economies to provide mutual fund investment opportunities for citizens in the diaspora. Within this context, Nigerian Fund Managers will have some level of exposure to the GDPR when they offer services, i.e. participation interests, (whether as part of a dedicated diaspora fund or other geography-agnostic mutual funds) in mutual funds or other collective investment/alternative investment schemes to Data Subjects in the EU. Managers of mutual funds or other CIS schemes in Nigeria will typically require investor personal data, which includes the name, address, date of birth, contact information, including payment details for dividends and/or redemption proceeds. Managers typically require these information in order to fulfil AML/CFT and KYC requirements. Nigerian Fund Managers may also ask for employment information or other income level information, in order to be able to properly advice prospective investors on the suitability of an investment option. The point to note here is that these kinds of information/data form part of the type of data which the GDPR seeks to protect and in respect of which Nigerian Fund Managers may bear some exposure to the GDPR. For context, Personal Data is defined under the GDPR to mean ‘any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’
The positive correlation between a funds’ marketing efforts and investor fund choices is now well documented. With increasing internet adoption, vast amounts of consumer data, profiles and preferences are available online and can be used to refine fund marketing strategies, to create outstanding leads. Nigerian Fund Managers who are already adopting online marketing or behavioural marketing strategies or other online tracking methods to monitor the behaviour of prospective investors will have some level of exposure to the GDPR under this leg. The GDPR notes that in order to determine whether a processing activity can be considered to ‘monitor’ the behaviour of data subjects, it should be ascertained ‘whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes’
Although this is a less possible area of exposure for mutual funds managers in Nigeria, Nigerian Fund Managers of alternative investments, like private equity or venture capital funds, may have some exposure, under this leg The reason is because of the common practice where such managers choose to domicile private equity and venture capital funds in jurisdictions that offer the opportunity of regulatory or tax arbitrage or other strategic advantages. Based on our review of the GDPR, we expect that such offshore funds will qualify as an ‘establishment’ within the intendment of the GDPR and for this reason, Nigerian Fund Managers of such funds will need to review their operations with the intent of bringing same in line with the standards prescribed by the GDPR. On a general basis, personal data may be found in employment agreements, carried interest documentation, anti-money laundering information, subscription agreements and potentially, side letters. The exposure of a Nigerian Fund Manager under this leg, will depend on the type of fund and the sophistication of the prospective limited partners. It is important to note here that the UK is still a member of the EU and the GDPR will be directly applicable in the UK until the time of the UK’s formal exit from the EU.
The question as to whether or not, a Nigerian Fund Manager is exposed to the GDPR may also turn on whether a Nigerian Fund Manager qualifies as a data controller or a data processor within the meaning of the GDPR. The following definitions will be useful to Nigerian Fund Managers in forming a view on the level of exposure to the GDPR, under this leg;
It does appear that a Nigerian Fund Manager or a general partner, as the case may be, will be considered a ‘controller’ and a ‘processor’ within the meaning of the GDPR, although the level of exposure will ultimately depend on the structure of an investment fund. Service providers employed by Nigerian Fund Managers may also have some exposure under the GDPR as such service providers can easily qualify as processors within the intendment of the GDPR
It does appear that Nigerian Fund Managers may not be an immediate enforcement priority for EU regulators. However, the exposure to the GDPR goes beyond a mere deliberate oversight action of EU Regulators. The GDPR invests in Data Subjects, the right to make complaints, the right to effective judicial remedy against a controller or a processor and the right to compensation for both material and non-material damage arising as a result of a breach of the provisions of the GDPR. This is perhaps, the most delicate area of exposure of Nigerian Fund Managers to the GDPR. Other than regulatory risk, there may also be other commercial implications, as prospective investors, may shirk from investing in Nigerian funds that are yet to communicate and implement compliance with GDPR. For managers of alternative funds, compliance with GDPR may well be a key compliance point and condition for fund raising, from certain types of limited partners. The other important point that should be made here is that compliance with the GDPR requires a nuanced -not generalist-compliance- approach. Going forward, it will be prudent for Nigerian Fund Managers to adopt a detailed fund-by-fund and manager-by-manager approach to GDPR compliance. For Nigerian Fund Managers, the baseline approach and going-forward strategy has to be that around the view that – Data privacy compliance must not only be done but must be seen to be done.
Notes: The foregoing does not constitute legal advice. To speak to our in-house subject matter expert, on designing a GDPR Compliance Program for your fund or company, please reach out to us on email@example.com for comments and questions.
 Migration and Development Brief 29, April 28, 2018, World Bank Group
 See for example, the Rwanda Diaspora Investment Fund
 At the time of this update, an individual had reportedly filed a legal action against Google and Facebook for breach of the provisions of the GDPR. Both suits may potentially cost Facebook and Google up to USD 8.8. billion