The widest-reaching data protection regulation ever conceived will come into force in May 2018.
Many private equity firms, however, have not seen it as a critical issue and are far behind on their compliance.
The General Data Protection Review will affect anyone that holds data relating to an individual in the EU – including private fund firms without a physical presence on the continent –and the penalties for non-compliance are huge: a fine of €20 million or equal to 4 percent of global turnover, whichever is higher.
Data experts told pfm firms that are not ready for the rule should action their plans now; it’s a bumpy road to compliance and some of the tasks will take a long time to complete. The regulation is so wide-ranging that there is no one-size-fits-all road to compliance, but there are common issues most firms will have to consider. These are:
1. Whether to hire a data protection officer
A firm may have to hire a data protection officer, depending on the type and volume of data it holds. It is an obligation when the firm regularly processes data on a large scale or when it deals with sensitive data such as health records or related to criminal convictions or offences. DPOs must have expert knowledge, a direct line to management, and be independent.
2. How third parties deal with your data
If a third party has access to, or uses a firm’s data, you must impose contractual provisions to ensure they take the same steps to keep the information protected as it would be in-house. The number of contracts that need negotiating could run into the hundreds.
3. How to embed privacy into processes
If a firm introduces a new system that happens to deal with data, for example a new HR management tool that collects and stores information relating to employees or potential employees, the protection of that data in the new system must also be considered.
4. Establishing a compliance methodology
The procedure should include regular privacy impact assessments, especially when new data types are brought in or systems are changed. The policy should also include a requirement for regular updates of the data record and reviews of the policy itself. People are likely to exercise their rights to know what type of data a firm holds on them, so they must consider how this information will be given out.
5. Drawing up an incident response
The policy should also include a well-planned incident response. A breach must be reported “without undue delay” and within 72 hours. Having a robust response plan, which sets out who is responsible for organising the response and reporting the breach to the local regulator will help to ensure the deadline is met.
6. Disposing of data
A firm must decide how to safely get rid of data it no longer needs. The final decision will depend on the sensitivity of the information and the medium in which it is held, and might vary from data set to data set.
The financial consequences of falling foul of the regulation are significant, but the reputational risk could be even more so. Fund managers that neglect GDPR compliance do so at their peril.