GDPR: six month compliance guide

Many firms are unprepared for the General Data Protection Regulation, which will be enforced in May. Experts helped Claire Wilson put together a six-month compliance plan

The widest-reaching data protection regulation ever conceived will come into force in May 2018, but many private fund firms are not ready.

“Being one step removed from the retail markets, some firms haven’t seen the General Data Protection Review as a critical issue,” William Long, partner, data protection at Sidley Austin, tells pfm.

Smaller firms may not have had the resources to deal with the GDPR, while others have sidelined it to get up to speed with other regualation. Now, with just six months to go, those firms are having to rush to catch up.

“We have been hosting small webinars on GDPR compliance preparation, and the same questions keep coming up,” says Alexander Norell, director, Europe Middle East and Africa – global compliance and risk services, at Trustwave. “People want to understand whether they are collecting data legitimately, what are the rights of the people whose data they are collecting, and how to make sure they have the correct contractual rights to collect new data.”

The GDPR will affect anyone that holds data relating to an individual in the EU – including many private fund firms without a physical presence on the continent – and the penalties for non-compliance are huge: a fine of €20 million or equal to 4 percent of total global revenue, whichever is higher.

The regulation will be a game-changer for private fund firms. For those that haven’t started, or are in the early stages of preparation, now is the best time to attack it whole-heartedly.

The consequences of falling foul of this regulation are simply not worth the risk. We have compiled the first three concerns a firm should consider about to establish the scope of the challenge.

Getting started
These steps a firm can take to become compliant sound simple, but can take a while to complete, so its crucial to begin immediately.

Establish a project team
With six months to go, firms that have not started their preparation or are only just realizing they will be affected need to make compliance a priority. They should ensure they have the required resources to build and execute a policy, and that senior management understands the significance of the regulation.

Establish the types of data the firm holds and what they are used for
The regulation is very broad and applies to all data for any individual – employees, investors or data from portfolio companies that may be in the firm’s hands.
The firm should discuss with HR what type of employee data they hold, and analyze investor information: high-net-worth clients are easily identified as individuals, but consider the information held on corporate investors. This could include mortgage data, loan information or personal details of contacts at the investor’s headquarters.

Map the data and carry out a gap analysis
This is a critical stage in the process. Once a manager has established the extent of data held – who it belongs to, what it is used for and where it is stored – they should compare it with the regulation’s requirements to identify shortfalls. This will allow them to draw up a compliance action plan. ?