As the MIFID II dust settles, another new regulatory minefield on the horizon for fund managers is GDPR - the new pan-EU legislative framework for the protection of personal data. It comes into effect on 25 May 2018.
A question we are frequently asked is whether fund managers need to obtain express consent from individual investors to use their personal data, for purposes including direct marketing. In most cases, consent should not be required.
GDPR sets out six lawful reasons for using personal data. One or more of these reasons must exist in order to permit lawful use of personal data. Based on the Article 29 Working Party's Consent Guidelines, there can't be "back-up" reasons for use. It is therefore critical to determine the reason(s) for use of personal data and maintain that position consistently.
Entities using personal data must inform the data subjects (at the time they collect the data) of the specific lawful reason being relied upon.
The legitimate interest rationale
Depending on the extent of direct marketing undertaken by a fund manager and the range of use of personal data overall, a fund manager should be able to use personal data of investors without consent for direct marketing purposes in its legitimate interests. This would be provided such use is undertaken in a fair and transparent way and is not outweighed by harm to the individual’s rights and interests.
Another interesting point in the Article 29 Working Party's Consent Guidelines is that previously given consent will not be invalid by virtue of being provided pre-GDPR, provided it meets the standards in GDPR (e.g. a record is retained that can demonstrate such consent was freely given, specific and informed).
The Article 29 Working Party has adopted "Guidelines on Consent under Regulation 2016/679" clarifying requirements of the EU GDPR. These guidelines are open for comment through Jan. 23, 2018.