Overview of GDPR for US Private Fund Managers

The General Data Protection Regulation (“GDPR”) is a new set of requirements intended to strengthen the protection of citizens’ personal data as well as data movement within the European Union (“EU”).  GDPR was adopted on May 24, 2016 by the European Parliament and the Council of the European Union and went into effect on May 25, 2018.  The regulation replaces Directive 95/46/EC, known as the Data Protection Directive and may apply to certain organizations (including private fund managers) in the US who work with persons in the EU.  This post is designed to give fund managers an overview of the regime and some initial items that should be considered.

What is GDPR?

GDPR sets restrictions on those who process, transfer, or monitor personal data and the procedures by which this is done.  The term “personal data” means any information relating to an identified or identifiable natural person.  The term generally means any information that directly or indirectly can lead to the identification number, location data, online identifier, or similar items related to the identity of a natural person (can include physical, physiological, genetic, mental, economic, cultural, social data, etc).   Organizations that are subject to GDPR but are not compliant can be fined the greater of €20 million or 4% of global annual turnover. GDPR requires that any personal data breach must be reported within 72 hours and justification must be given for any delays.

One of the key aspects of GDPR is that it requires organizations to appoint a Data Protection Officer (DPO) in the following three situations: (1) if the organization is processing public data as a public authority; (2) the organization’s processing operations require regular and systematic monitoring of data subjects on a large scale; and (3) the organization has large scale processing of personal data relating to criminal convictions or special categories that reveal identity of a natural person (including physical, physiological, genetic, etc.).  Although private fund managers may not fall into any of the above categories, it is encouraged under Article 29 Data Protection Working Party (“WP29”) for organizations to appoint a DPO as part of good practice procedures and to demonstrate compliance with GDPR.

Who is regulated?

The requirements of GDPR applies to controllers (the person(s) or entity that determines the purposes and means of processing personal data) or processors (the person(s) or entity that processes personal data on the controller’s behalf) of personal data.  It also applies to the processing activities related to offering goods or services to the data subjects from the EU or monitoring behaviors that take place within the EU.

*** Practically, for private fund managers, GDPR is applicable if you have European investors in a fund or actively solicit or market to European investors.  

What are the initial steps a private fund manager should take?

Depending on the scope of activity, we believe that managers should think about implementing a full GDPR compliance program.  In the meantime, managers subject to the directive should take immediate actions:

• Send a disclosure statement to EU investors regarding GDPR and the fund’s obligations under GDPR.
• Attach the disclosure statement regarding GDPR to the fund subscription documents moving forward to ensure that all new investors receive it.
• Update the fund’s offering documents with a GDPR disclosure.
• Amend agreements with service providers who processes EU investors’ personal data on the fund’s behalf.
• Determine whether the fund needs to establish an EU Representative.

How do you create a GDPR compliance program?

Managers with data subject to GDPR will need to take inventory of their data which is covered by the regulation and should create certain procedures and controls with respect to the data.  We believe that initial steps should include the following:

• Create a list of all types of personal information your fund holds, the source of that information, with whom you share it, what you do with it and how long you will keep it.
• Create a list of places where your fund keeps personal information and the ways data flows between them.
• Create a publicly accessible privacy policy, which includes a lawful basis to explain why the fund needs to process personal information, that outlines all processes related to personal data.
• Appoint a Data Protection Officer (DPO) if necessary.
• Create awareness among decision makers about GDPR guidelines.
• Review and/or update the fund’s security technology that is used to process personal data (i.e. firewalls, security verification tools, etc.).
• Update e-mail security to reduce the risk of phishing and other attacks on protected information.
• Create a compliance program that includes staff training on data protection items.
• Create a list of third parties that process personal data for you and update your privacy policy to disclose your use of these third parties.
• Put a contract in place with any data processors with whom you share data containing explicit instructions for the storage or processing of data by the processor.

Conclusion

Managers should begin this process of exploring the impact of GDPR on their operations immediately if they have not already done so.  Managers should also consult with offshore counsel, compliance consultants, and/or GDPR specialists for guidance on how to best comply with GDPR to meet the fund’s particular needs.  GDPR has radically changed how personal data is processed in the EU and abroad.  The sooner a manager enacts GDPR compliant policies, the sooner the manager can cater to EU citizens and the less likely it will be subject to penalties.

****

Bart Mallon is a founding partner of Cole-Frieman & Mallon LLP.  Cole-Frieman & Mallon LLP has is a leader in the hedge fund space and routinely works with managers on legal, regulatory and compliance issues. If there are any questions on this post, please contact Mr. Mallon directly at 415-868-5345.