• balogunharold
  • No Comments

Fund Manager Update – What is the Level of Exposure that Nigerian Fund Managers Have to the General Data Protection Regulation?

Fund Managers in Nigeria will have some level of exposure to the new European regulation on data privacy, commonly referred to as, the General Data Protection Regulation (GDPR), which came into legal effect in each of the European Union Member States (“EU”) on 25 May, 2018. The GDPR is the EU legislation that is intended to protect the “personal data” of natural persons in the EU. The GDPR is a substantial update on the current data protection regime and replaces the current rules governing the collection, storage and processing of personal data.

What is the Level of Exposure that Nigerian Fund Managers Have to the GDPR?

Nigerian Fund Managers will have some exposure to the GDPR, in the following circumstances:

  1. Where a Nigerian Fund Manager Offers Goods and Services to Natural Persons (“Data Subjects”) in the EU, Irrespective of Whether a Payment of the Data Subject is required, to such Data Subjects in the EU

         The Nigerian international remittance market is a USD22billion market and growing[1]. It is increasingly common for fund managers in frontier economies to    provide mutual fund investment opportunities for citizens in the diaspora[2]. Within this context, Nigerian Fund Managers will have some level of exposure to the GDPR when they offer services, i.e. participation interests, (whether as part of a dedicated diaspora fund or other geography-agnostic mutual funds) in mutual funds or other collective investment/alternative investment schemes to Data Subjects in the EU. Managers of mutual funds or other CIS schemes in Nigeria will typically require investor personal data, which includes the name, address, date of birth, contact information, including payment details for dividends and/or redemption proceeds. Managers typically require these information in order to fulfil AML/CFT and KYC requirements. Nigerian Fund Managers may also ask for employment information or other income level information, in order to be able to properly advice prospective investors on the suitability of an investment option. The point to note here is that these kinds of information/data form part of the type of data which the GDPR seeks to protect and in respect of which Nigerian Fund Managers may bear some exposure to the GDPR. For context, Personal Data is defined under the GDPR to mean ‘any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’

  1. Where a Nigerian Fund Manager monitors the Behaviour of Data Subjects in the EU As Far As Said Behaviour Takes Place within the EU

The positive correlation between a funds’ marketing efforts and investor fund choices is now well documented. With increasing internet adoption, vast amounts of consumer data, profiles and preferences are available online and can be used to refine fund marketing strategies, to create outstanding leads. Nigerian Fund Managers who are already adopting online marketing or behavioural marketing strategies or other online tracking methods to monitor the behaviour of prospective investors will have some level of exposure to the GDPR under this leg. The GDPR notes that in order to determine whether a processing activity can be considered to ‘monitor’ the behaviour of data subjects, it should be ascertained ‘whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes’

  1. Where a Nigerian Fund Manager has an Establishment in an EU Country

Although this is a less possible area of exposure for mutual funds managers in Nigeria, Nigerian Fund Managers of alternative investments, like private equity or venture capital funds, may have some exposure, under this leg The reason is because of the common practice where such managers choose to domicile private equity and venture capital funds in jurisdictions that offer the opportunity of regulatory or tax arbitrage or other strategic advantages. Based on our review of the GDPR, we expect that such offshore funds will qualify as an ‘establishment’ within the intendment of the GDPR and for this reason, Nigerian Fund Managers of such funds will need to review their operations with the intent of bringing same in line with the standards prescribed by the GDPR. On a general basis, personal data may be found in employment agreements, carried interest documentation, anti-money laundering information, subscription agreements and potentially, side letters. The exposure of a Nigerian Fund Manager under this leg, will depend on the type of fund and the sophistication of the prospective limited partners. It is important to note here that the UK is still a member of the EU and the GDPR will be directly applicable in the UK until the time of the UK’s formal exit from the EU.

  1. Where A Nigerian Fund Manager Qualifies as a Data Controller or Data Processor Within the Definitions Contained in the GDPR

The question as to whether or not, a Nigerian Fund Manager is exposed to the GDPR may also turn on whether a Nigerian Fund Manager qualifies as a data controller or a data processor within the meaning of the GDPR. The following definitions will be useful to Nigerian Fund Managers in forming a view on the level of exposure to the GDPR, under this leg;

  • ‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
  • ‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
  • ‘Processing’ means ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

It does appear that a Nigerian Fund Manager or a general partner, as the case may be, will be considered a ‘controller’ and a ‘processor’ within the meaning of the GDPR, although the level of exposure will ultimately depend on the structure of an investment fund. Service providers employed by Nigerian Fund Managers may also have some exposure under the GDPR as such service providers can easily qualify as processors within the intendment of the GDPR

General Comments

It does appear that Nigerian Fund Managers may not be an immediate enforcement priority for EU regulators. However, the exposure to the GDPR goes beyond a mere deliberate oversight action of EU Regulators. The GDPR invests in Data Subjects, the right to make complaints, the right to effective judicial remedy against a controller or a processor and the right to compensation for both material and non-material damage arising as a result of a breach of the provisions of the GDPR. This is perhaps, the most delicate area of exposure of Nigerian Fund Managers to the GDPR[3]. Other than regulatory risk, there may also be other commercial implications, as prospective investors, may shirk from investing in Nigerian funds that are yet to communicate and implement compliance with GDPR. For managers of alternative funds, compliance with GDPR may well be a key compliance point and condition for fund raising, from certain types of limited partners. The other important point that should be made here is that compliance with the GDPR requires a nuanced -not generalist-compliance- approach. Going forward, it will be prudent for Nigerian Fund Managers to adopt a detailed fund-by-fund and manager-by-manager approach to GDPR compliance. For Nigerian Fund Managers, the baseline approach and going-forward  strategy has to be that around the view that – Data privacy compliance must not only be done but must be seen to be done.

 

Notes: The foregoing does not constitute legal advice. To speak to our in-house subject matter expert, on designing a GDPR Compliance Program for your fund or company, please reach out to us on info@balogunharold.com for comments and questions.

[1] Migration and Development Brief 29, April 28, 2018, World Bank Group

[2] See for example, the Rwanda Diaspora Investment Fund

[3] At the time of this update, an individual had reportedly filed a legal action against Google and Facebook for breach of the provisions of the GDPR. Both suits may potentially cost Facebook and Google up to USD 8.8. billion

Translate »