What is GDPR?
The GDPR will replace much of the existing privacy legislation across the EU (including in the UK, the Data Protection Act 1998). As an EU Regulation it will apply across the EU. However, it also allows Member States to set their own rules in relation to the processing of personal data in certain areas. Therefore, businesses operating across the EU will still need local advice.
Application to entities outside the EU?
GDPR has extra-territorial effect (entities not established in the EU will still be caught by the GDPR if they offer goods or services to people in the EU or monitor the behaviour of people in the EU).
Areas to consider?
Areas to consider include:
- sensitivities around the transfer and protection of personal data of fund investors and employees of fund managers;
- potential liability for a private equity fund for any data protection breaches by its portfolio companies; and
- contractual protections and risk warnings in fund documentation.
Under the existing legislation only data controllers (the person that determines the purposes and means of processing personal data) have obligations. Under the GDPR, as well as data controllers, data processors (persons that processes personal data on behalf of a data controller) will also have obligations.
Fund managers will need to assess, if they have not already done so, which entities in the fund structure are data controllers and which are data processors. Some of these entities may be both controllers and processors.
In relation to investors’ personal data, alternative investment fund managers (AIFMs) are likely to be controllers and administrators, distributors and other service providers are likely to be processors. Delegated managers may potentially be joint controllers. This will ultimately depend on who controls the use of data and who processes the data on the controller’s instructions. In respect of employee data, all of these are likely to be controllers.
Compliance steps include:
- considering the need for a data protection officer (these are mandatory in certain circumstances)
- assessing personal data held, where it is held, categories of data subjects, and how it is used
- updating privacy notices to data subjects
- putting in place procedures to give effect to new rights afforded to data subjects (e.g. right to be forgotten, data portability right, right to object)
- keeping of processing records required under the GDPR
- updating contracts between controllers and processors to include specified, mandatory provisions required by the GDPR
- reviewing of consents (or other applicable grounds for lawful processing, e.g. legitimate interests)
- updating any existing internal policies as appropriate and required under the GDPR
- reviewing international data flows and any applicable data transfer agreements
- developing, documenting and implementing a data breach policy/procedure in order to comply with data breach reporting obligations that impose mandatory 72 hour reporting of breaches in certain circumstances to the regulator, and where applicable notifications to data subjects
Breach – consequences?
Substantially increased fines (up to EUR 20m, or for an undertaking, 4% of total worldwide annual turnover in the preceding financial year, whichever is the greater) should be noted.