GPs told they ‘can’t outsource responsibility’ on GDPR

Fund's data controller has an obligation to ensure the vehicle is compliant with new regulations, managers warned.

With the deadline for compliance with the EU’s General Data Protection Regulation six weeks away fund managers have been told that attempts to outsource the responsibility to fund administrators will not be looked on favorably by regulators.

Jason Scharfman

During a webinar discussion hosted by financial services cloud software provider Navatar, Jason Scharfman, managing partner at US consulting firm Corgentum Consulting, said that even if a firm outsources GDPR compliance to a third-party provider “ultimately the responsibility still remains with the firm.”

Scharfman added that while “there’s nothing wrong with that type of framework … regulators have criticized firms that just try to completely outsource that responsibility because they can’t.”

Dan Silver, a partner at Clifford Chance in New York, said the data controller at a fund has an obligation “to ensure that data processors (fund administrators) are GDPR-compliant.”

Silver added that if firms are outsourcing they must ensure their provider notifies them promptly of any data breach. GDPR stipulates that an institution must notify a privacy regulator within 72 hours of a breach.

“A 72-hour timeframe is a really, really tight timeframe to have to make any notification, and it’s tighter than most of the existing requirements that are currently applicable in the US. So what we’ve been telling clients is the only way to really prepare for that is to make sure that you’ve done some practicing to have a sense of who would have to be involved and what kinds of steps have to be taken to be able to make a notification within that kind of tight deadline,” Silver said.

Silver added that once funds have determined where their obligations are going to lie under GDPR, some important goals to achieve ahead of May 25, when the regulation comes into force, include “updating your disclosures to LPs, and any other EU-based individuals who you may deal with, and also reviewing and updating your services agreements. There will be other things to think about as well, such as updating compliance manuals and staff training and incident response planning, which are also important.”

Scharfman said he has come across managers still taking a “wait-and-see” approach, with US funds in particular “still trying to wrap their heads around how this regulation will apply to them.” He added that “at this point in the game” a wait-and-see approach “is not acceptable for LPs.”

US firms have previously been told they need to “up their game” on GDPR.

Nearly two-thirds of private equity and hedge funds have hired data-specific personnel in anticipation of the regulation, according to a survey by Koger.