As many of you may already be aware, the European GDPR goes into effect during May 2018. Below are some frequently asked questions and answers about GDPR as a short guide to assist investment advisers and private fund managers with initial GDPR analysis.
What is GDPR?
It is the new General Data Protection Regulation (GDPR) adopted by the European Union that is intended to protect the “personal data” of natural persons in the European Union. It goes into effect on May 25, 2018. Personal data is broadly defined and includes name, address, email address, telephone number, and birth date.
We are a United States investment adviser or private fund manager. Could GDPR apply to us?
Yes, the GDPR applies to entities established in the European Union and to entities not established in the European Union (i) when they process personal data of natural persons (“data subjects”) who are in the EU, and (ii) where the processing activities are related to offering of services to such natural persons in the EU. For GDPR purposes, “processing” includes simply collecting, recording and storing information and an investment adviser providing investment advice to EU individuals is providing “services.”
We don’t have (or intend to market to) European natural person investors in our private investment funds. Does GDPR apply to us?
Generally no. However, you should also broadly consider whether you are collecting (or may collect in the future) any personal data on any European individuals. If you have an office or employees located in the European Union, then you will need to consider your GDPR obligations.
What are the penalties for non-compliance with GDPR?
The penalties are severe. As of May 2018, European Supervisory Authorities can impose administrative fines of up to 20 million Euros or 4% of total worldwide turnover of the preceding financial year, whichever is the higher.
If GDPR applies, what must we do before May 25, 2018?
- You need to compile a GDPR compliant policy and provide notice of such policy to any European individuals. The policy will need to cover the following:
- the investment adviser (“controller”) identity and contact details
- the types of personal data that is being collected
- the purpose of the processing
- who the personal data is being provided to
- where outside the EU the personal data is being transferred to
- the period of time for which the personal data will be held
- the natural person’s rights (access, rectification, erasure, restriction, data portability and objection)
- You will need to consider whether the “transfer” of EU personal data has been consented to by such investor (or otherwise utilizes one of the “transfer tools” permitted under GDPR).
- GDPR also requires that you appoint a “representative” in one of the EU countries where you have investors (and contact information for the representative will also need to be included in your new GDPR policy).
- You will also need to update your private investment fund offering documents and compliance manual.
- Finally, you will need to review your third party contracts, (for example, with an administrator or accountant) to ensure that the contracts contain certain GDPR mandatory clauses.