The European Union (EU) is an economic and political union of 28 independent member states. The EU marketplace is of huge significance to the private equity, venture capital, and investment fund industry. Actions taken by the EU ripple across the entire industry.
In 2016, the EU General Data Protection Regulation (GDPR) became the most important change in data privacy regulation in decades. The new EU data privacy law came into force in May of 2018 and harmonized data privacy laws that applied across EU member states.
In general, the regulation introduces rigorous consent requirements, data subject rights, and obligations on organizations that gather, control and process data. From a data protection standpoint, GDPR regulates the processing and/or tracking by an individual, a company or an organization of personal data relating to individuals in the EU. From a privacy standpoint, the GDPR seeks to “put individuals in control of their data,” and extends extensive rights to individuals.
The new data protection requirements the GDPR imposes on the collection, use, and disclosure of personal data are particularly relevant to private equity firms, venture capital funds, and other investment funds. The GDPR imposes significant fines for violations of those requirements. The GDPR also extended the reach of EU data protection law such that non-EU organizations (such as non-EU private investment funds and their sponsors) will fall within its scope if they process the personal data of individuals in the EU in connection with goods or services offered to such individuals, or monitor the behavior of individuals within the EU. The GDPR only applies to processing data of a “natural person.” Data relating to institutional investors is not covered (although information relating to their employees or individual plan participants might be.
Particularly, funds that anticipate marketing to natural persons in the EU with a view of accepting subscriptions from those individuals will need to address any issues related to personal data collection in order to ensure its compliance with the GDPR. Generally, a fund will collect personal data, for example, when an individual chooses to invest in a fund. Individual investors will typically be required to provide personal data such as name, address, date of birth, contact information, payment details, and tax residence information (for US FATCA and CRS purposes). For identification purposes and to fulfill contractual and regulatory obligations (such as for anti-money laundering obligations), individual investors may also be asked to provide personal data in the form of their: photograph identification, information regarding their source of funds and wealth, employment and income information, information on dependents, and investment objectives. Where a corporate entity is an investor in the fund, that entity typically also provides personal data about its directors, members, shareholders, other beneficial owners, or other individuals working for the corporate investor. This personal data may include name, address, date of birth, nationality, and identity verification documents.
Where the GDPR applies to the processing of personal data, a fund should conduct an initial assessment on whether they or their affiliates are acting as data controllers (entities that determine the purposes and means of the processing of personal data and typically uses it for any commercial purpose) or data processors (entities that do something with personal data in connection with providing a service to a data controller) in these processing activities. This is because the greatest burdens under GDPR fall on data controllers. Investment fund managers are likely to act as data processors when managing personal data on behalf of their funds. They are, however, likely to act as data controllers where they use the personal data for their own purposes such as managing client accounts, conducting anti-money laundering reviews, or where they otherwise determine the means of processing the data, including for marketing purposes. The funds themselves are likely to be data controllers with greater obligations than data processors under the GDPR.
The data controller is ultimately responsible for compliance with the data protection principles and must demonstrate: 1) lawfulness, fairness, and transparency; 2) the purpose limitation (personal data must only be collected for specified, explicit, and legitimate purposes); 3) data minimization; 4) accuracy of the data; 5) storage limitation; 6) integrity and confidentiality; and 7) accountability.
Additionally, the GDPR requires both data controllers and processors to implement appropriate information security measures to secure personal data and to undertake specified remedial steps in relation to any personal data breaches that occur. Particularly, data controllers and data processors are subject to and must comply with the GDPR’s 72-hour deadline to notify a privacy regulator in the EU in case of a data breach. Where there is a likely high risk of adverse effects, the fund may also have to communicate the breach to the affected individuals. Funds will also need to include in contracts with vendors GDPR data processing provisions where vendors process personal data subject to the GDPR.
In sum, the GDPR sets a higher bar for funds to meet to justify the processing and sharing of sensitive personal data. Funds should assess and implement controls in order to comply with the GDPR. A failure to do so will subject a fund to fines and sanctions. The fines for failure to comply are very high, reaching as much as 4 percent of annual worldwide revenues. The GDPR also allows individuals to seek civil actions (including class action lawsuits) against funds that violate their data-protection rights.
About the Author
Dharmi Mehta is a compliance attorney with Seashine Capital Management, a California-based international investment and management company focused on the U.S. real estate sector.