The General Data Protection Regulation (GDPR) – What is it and what does it mean for your firm?
14th August 2017 32 - Blog Posts - Regulatory Updates - White Papers
The General Data Protection Regulation (GDPR) will be directly applicable in the UK and create additional obligations to firms alongside the Data Protection Act 1998 (DPA). It is important that firms understand their new obligations under GDPR, which will take effect on 25 May 2018. Although the UK is leaving the European Union, the government has confirmed that Brexit will not affect its implementation.
Implications for Fund Managers and Private Equity Firms
The revised regulations place a key focus on Territorial Scope, Penalties, Data Protection Officers, Breach Reporting and more:
- Greater focus on Territorial Scope, GDPR expands the reach of the European Data Protection Legislation to data controllers and processors who offer services inside the EU (even if based outside of it).
- Organisations do not have to notify authorities of data processing but are required to retain records of data processing activities (subject to limited exceptions for SMEs).
- Organisations will be regulated by a single regulator in the place of their main establishment. This means that if a firm operates across multiple member states, they will be supervised by and report to, one ‘lead’ regulator.
- The GDPR significantly raises the stakes with regard to compliance, with maximum penalties of 4% annual global turnover or up to €20m (whichever is higher).
- Organisations, without undue delay, are expected to contact their Data Protection Authorities (in the UK the Information Commissioners Office) within 72 hours (where feasible) of becoming aware of any data protection breaches.
- Private Equity Firms should be aware that Data Protection Impact Assessments (DPIAs) will now be required to assess the risk levels for the rights and freedom of individuals. If the DPIA reveals a significant risk, organisations must consult with their regulator before beginning the process.
- Fund Managers should understand the updates to Data Subject Rights as the GDPR contains new rights around data portability, the right to be forgotten and to prevent profiling.
Read our Regulatory Update in full: The General Data Protection Regulation (GDPR) – Regulatory Update (PDF)
Lawson Conner has worked extensively with our clients to assess the impact of regulatory change. We would be delighted to discuss how we can help Fund Managers and Private Equity Firms meet these new challenges.
Lawson Conner’s team of compliance professionals can assist you at every stage as you seek to comply with the new regulatory obligations. Contact us today for more information.