With the advent of General Data Protection Regulation and the impending roll-out of the California Consumer Privacy Act, data privacy compliance is an increasingly relevant issue in private equity. We had off-the-record chats with the CFOs of three private equity firms and asked about their thoughts, concerns and predictions for data privacy regulation.
What steps have you taken to comply with GDPR?
CFO 1: GDPR is a mess, to be perfectly honest with you. It’s maddening. I generally try to avoid the compliance side of things, but it’s been an awful lot of work, and most frustratingly, it’s difficult to see how much benefit has really been gained. The requirements of informing people of data and keeping it up to date, are so enormous that we have had to strip our data back to the bare minimum, which in fairness is what they were trying to achieve with the regulation. I certainly can’t see who is digesting the data, and I’ve not heard any individuals complain. One company decided internally that, in order to meet the GDPR requirements, every individual in every member of staff’s contact list had to be notified that they were in someone’s contact list. Technically, that was the right thing for them to do, but it’s absolutely madness. It’s been a nightmare and a complete waste of time.
What steps have you taken to comply with CCPA?
CFO 2: From a compliance perspective, we have a standard that we seek to achieve, to cover our bases across various standards and rules. I am not specifically aware of the California requirements, but I believe we are meeting everything that falls within our jurisdictions. We have a full-time compliance officer, we have written policies and procedures, and we have corporate training with respect to those procedures.
What about cybersecurity?
CFO 2: Some of our more aggressive institutional LPs have required us to put additional cybersecurity measures in place. They really want us to batten down the hatches regarding some of our technology processes. We’ve been relatively proactive, but it’s really just a couple of LPs in particular that have gone above and beyond in pushing us and our vendors to provide additional levels of security.
CFO 3: We have a CCO who manages cybersecurity. We did have an incident a few years ago when our in-house servers were breached. We don’t keep that data in-house anymore – it’s all on the cloud. We’ve gone through several years of enhancements of our systems and procedures.
What does the future hold for data privacy?
CFO 1: It’s going the wrong way in Europe. In the US, Trump is trying to wind back regulations, which is something businesses could benefit from. In Europe, on the other hand, policies like this don’t happen on a whim; they have to go through councils and various different foes in the EU. For something to get that far and go through, it’s incredibly unlikely that it would be revoked or dialled back. I’d predict a movement towards more regulation across the world – or certainly in Europe, at least. The only exception might be in post-Brexit UK, where there’s a chance that the government might decide to deregulate wherever possible to try and boost the economy.