The digital economy: data protection and security
Hedge funds, private equity, venture capital, wealth and asset management. Traditionally, investors in these high reward wealth vehicles include businesses seeking to acquire other businesses or publicly available shares, or they may be pension funds, insurance companies, or individuals with significant family or other wealth. High reward often goes hand in hand with high risk, but in the digital economy, the risks may be even higher and from other regulatory perspectives, including data protection and security. Not the regulatory perspective one might have expected, but very much here for investors and regulators alike to deal with.
5 min read
Perhaps surprisingly to some, the high value investment industry intersects with data protection and security in several ways. Especially as investments are going decentralized and digital, many issues, namely digital identity and government access to personal data, are worth a second look in any business to ensure compliance with applicable regulations.
The DIFC’s recent wealth management and venture capital seminar, co-hosted with Trident Trust, made it clear: the future of hedge and venture capital funds will be digital. Examples are all around the UAE already. The DIFC has aligned with Digital Dubai to support the vision of H.H Sheikh Mohammed Bin Rashid Al Maktoum to make Dubai the world’s digital capital. Investment in the digital economy itself through future design and acceleration, is a strategic pillar of the Dubai Future Foundation. One primary initiative, in partnership with DIFC, is its “evergreen venture capital fund of funds”, the Dubai Future District Fund (DFDF).
But even with initiatives like DFDF inspiring a digital future, the data protection and security basics around know your customer and financial crime prevention due diligence remain the same. Principles such as fair and lawful processing, purpose limitation, data quality and minimisation, and sensible retention periods apply, while the digital AML / CFT obligations raise the query of what constitutes high risk processing.
Large amounts of identification information are required by any fund or asset manager, and in the current technology environment, online identity authentication applications are becoming one of the most important tools in fast, efficient identity checking for fast, efficient investments. Where digital identity is used to conduct transactions, the vast amount of special category data collected and stored creates added risk.
Think about what is included in a simple point of sale purchase using a smart device. Face ID, fingerprints, retinal scans… all biometrics are special category personal data under most internationally accepted principles. If operating in the DIFC, consider whether the fund is engaging in high-risk processing in accordance with the Data Protection Law, DIFC Law No 5 of 2020 (DIFC DP Law). If it is, a data protection officer must be appointed, and other obligations arise.
Another application of data protection and security law and principles is the use of decentralised systems or other applications for digital identity that prevent the exercise of data subjects’ rights to access, alter, or remove their personal data from the systems supporting investment structures. Appropriate notice about the impact on such rights must be given as per Article 29(1)(h)(ix) of the DIFC DP Law and proposed Regulation 9 of the DIFC DP Regulations 2020.
GOVERNMENT ACCESS TO PERSONAL DATA
Recalling that quite a lot of personal data and special category information is collected for KYC or digital identification purposes and for all kinds of financial transactions, quite a lot of information requests are issued by financial services regulators and law enforcement, among others, for investigations into use of digital systems for financial and other crime, large scale surveillance, and so on. Collecting such data for substantial public interests is addressed in the DIFC DP Law, which contains a unique provision not found in many if any other privacy laws – Article 28. Article 28 provides rights and redress assurance through additional data sharing assessment requirements and safeguards. In some cases, government data sharing is non-negotiable. Even then, Article 28 provides an accountability test to demonstrate that the sharing / exporting entity is convinced that the shared information will be protected, via an assessment of the recipient organisation.
Comparable data protection and security considerations exist anywhere in the world - think EU GDPR, US state laws, China, South America… the list goes on, including here in Dubai, cutting across every industry, including wealth management.
The take-away from this is very simple: A solid compliance infrastructure to ensure the safe processing of such data is essential. Data protection compliance requirements aren’t the first thing that come to mind when thinking about hedge funds or other investment vehicles. Given that digitisation is pervasive, however, a fresh look at all aspects of an investment ecosystem is essential, leading to an honest determination of where and how personal data is collected, for what purposes, and where it will go. A savvy investor or fund manager knows the value of investing in accountability, transparency, and fair and lawful processing of the vast amounts of data they acquire for marketing, investing, digital identification, or financial crime prevention compliance. More significantly, Investors are looking for responsible, sustainable investments (ESG anyone?). Consequently, data privacy and security compliance must be addressed (or perhaps re-assessed) in a holistic way to update the systems supporting funds or firms.
For further information about these and other topics related to data protection and wealth / asset management, please browse the DIFC Data Protection website: