Navigating the data privacy conundrum

Data breaches and non-compliance with privacy laws have resulted in costly penalties, with the maximum fine in the EU and UK being 4 percent of annual worldwide turnover. Moreover, individual claims for data breaches are increasingly being brought to the courts.

The applicability of privacy laws will depend on where the funds are established and where they are targeting their operations. For UK and EU organisations, there is some basic housekeeping that can assist in complying with data protection laws. Similar concepts exist around the world where there is an established privacy legal framework.

Identify the controller

Responsibilities for compliance with UK and EU data protections laws under the General Data Protection Regulation predominantly rest with the “controller”, which is defined as a “body which, alone or jointly with others, determines the purposes and means of the processing of personal data”.

Typically, General Partners ("GPs") will be controllers of personal data through the fund itself, but the manager may also be a controller or a joint controller. Moreover, while it is useful to document roles in the fund structure documentation, the analysis of the role of controller is one based on fact, rather than contract.

Understand your data

Accountability requirements in the GDPR oblige controllers to understand the data they have, the lawful basis on which they process it and the disclosures that are made. A controller GP will need to document records of processing, as well as policies and procedures on how data protection laws are complied with in practice.

Be transparent

The GDPR prescribes that data subjects must be informed about how their data is processed and about any third-party disclosures. This covers any director information obtained from investors or personal data processed by the fund in connection with a target. GPs therefore need to think about how to communicate this information with the data subjects.

Keep the minimum data as is necessary with appropriate security

The more headline-grabbing fines from regulators are from breaches of security that have resulted in losses of data. The GDPR obliges controllers to hold personal data only where necessary, delete it when it is no longer needed and ensure appropriate security is in place to mitigate the risk of security breaches.

Funds may also incorporate contractual provisions relation to the protection of confidential information and personal data in the limited partnership agreement and subscriptions agreement between the investor and the fund.

In storage, where possible, personal data may be irreversibly anonymised which will render it no longer “personal data” and no longer subject to the GDPR.

This article was originally published on 1 April 2022 in Private Equity International.