PE Tech Report

NEWSLETTER

Like this article?

Sign up to our free newsletter

GDPR: what are the implications for the private equity industry?

By Ian Kelly, CEO, Augentius – When it comes to data, the headlines in recent weeks have understandably been dominated by the global WannaCry ransomware attack, but that’s not the only data issue that should be on the agenda of private equity fund managers and investors. In a year’s time, the General Data Protection Regulation will come into force, extending the scope of the EU data protection law to all foreign companies who process data that could identify living EU residents.

This new framework, the General Data Protection Regulation, is to be backed by strong enforcement and puts individuals in control of their own data. It provides for a harmonisation of the data protection regulations throughout the EU but comes at the cost of a strict data protection compliance regime with severe penalties in the event of breaches.

The sanctions threatened are serious: a warning in writing in cases of first and non-intentional non-compliance; a requirement to be subject to regular periodic data protection audits; and a fine up to EUR20,000,000 or up to 4 per cent of the annual worldwide turnover of the preceding financial year, whichever is greater.

The fines will reflect the seriousness of the breach and will be based on the number of individuals affected; the type of data involved, the impact on the individuals and how seriously the business has taken its data protection responsibilities. However, experience shows that the quantum of the fine is the least of the problems facing the business – the Information Commissioner’s Office will “name and shame” businesses who are fined and the reputational damage could be significant.

It is immediately apparent that there will be significant work involved in preparing for the implementation of the Regulation. The headlines have mostly been about breach notification, the right to be forgotten, and the need to appoint a Data Protection Officer. However, the provisions of Article 21, data protection by design and data protection by default, require that data protection is factored into the development of business processes for products and services. This will be the major challenge for data controllers and processors.

In the Regulation a data controller and data processor are defined as follows:

‘controller’ means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes, conditions and means of the processing of personal data; where the purposes, conditions and means of processing are determined by Union law or Member State law, the controller or the specific criteria for his nomination may be designated by Union law or by Member State law;

‘processor’ means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.

The requirements apply to the handling of employee data equally as they do to data held on investors. This is covered by a piece of secondary regulation: the Employment Practices Code. The Information Commissioner’s Office has issued comprehensive guidance on how employers can meet these data protection obligations and these should be reflected in the firm’s HR policies and procedures. 

Many private equity firms are wondering whether they need to appoint a dedicated Data Protection Officer. The reality is that unless they operate in the public sector or employ 250 staff or more, this isn’t necessary. That said, the Regulation recommends that a business who employs less than 250 staff should consider appointing a suitably qualified individual with responsibility for data protection.

Another area of confusion regards the fact that information held is typically subject to statutory and common law retention times, which could seem to be at variance with the new “right to be forgotten and to erasure”. Statutory and common law retention times are paramount and this is reinforced in Principle 5 of the current Data Protection Principles. The “right to be forgotten and to erasure” only applies in certain circumstances and is not an absolute right however, firms should have procedures in place to comply with any legitimate request and to assess whether or not the request is valid. There may be instances where the request does not meet the criteria set out in the European Court of Justice ruling and the cost, in terms of time and money, can be avoided.

The question of where the data is stored is important too. Many firms now employ cloud systems where the servers are housed outside the EU. On 2 February 2016, the European Commission and the United States agreed on a new framework for transatlantic data flows known as the “EU-US Privacy Shield.” The Information Commissioner’s Office will issue updates when the Commission and the EU data protection supervisory authorities agree a way forward.

To ensure they are ahead on course to meet GDPR’s implementation date of 25 May 2018, fund managers should undertake a comprehensive review to benchmark their data protection policy and procedures against the requirements of the Regulation. They should check that their HR Policies and procedures reflect the requirements of the Employment Practices Code and identify the gaps and what is required to address them. We recommend managers consult with their IT suppliers to establish what steps they propose to take to meet their obligations and the systems required to help the manager meet their obligations. Following this, all managers should agree an appropriate action plan, including timeframes and ensure it is implemented to the letter.

Like this article? Sign up to our free newsletter

MOST POPULAR

FURTHER READING

Featured