GDPR – May 25, 2018 Effective Date
The General Data Protection Regulation (GDPR) is a new data privacy and security initiative adopted by the EU that is intended to provide enhanced protection to EU citizens for their personal data. The definition of “personal data” is very broad and captures much of the data regarding EU investors that is typically processed by investment advisers, funds and service providers in connection with separately managed accounts and funds. The relevant GDPR effective date is May 25, 2018, and the U.S. investment management industry has only recently begun to focus on its extra-territorial impact.
GDPR likely applies to (a) U.S. investment advisers who provide management services to individual EU investors and (b) investment funds that are offered to individual EU investors. Thus, a U.S. adviser should plan to address GDPR’s requirements if EU individuals are invested directly in its funds or separate accounts. This is commonly referred to as being “in scope.” There is some uncertainty as to whether a fund is also “in scope” of GDPR if it has (i) individual EU investors who invest indirectly through a nominee account (e.g., a German bank) or (ii) EU institutional investors for which EU individuals act as signatories or otherwise liaise with the adviser. Many EU law firms advise that the GDPR requirements only apply if EU individuals are named fund investors or account holders; at the other end of the continuum, other firms advise that if an adviser even obtains the name of a European individual who is not a fund investor or account holder (e.g., as a signatory on behalf of an institutional investor), GDPR applies, because the adviser knows the individual’s identity. There is no consensus yet on these points.
GDPR requires advisers and funds that are “in scope” to adopt internal data protection policies regarding cross-border transfer, processing, disclosure and retention of personal data of EU individuals, and provide privacy notices to the applicable individuals. Thus, U.S. advisers or funds subject to GDPR should send privacy notices to the EU individuals covered by GDPR (which is unclear as noted above) by May 25, 2018. They also must update agreements with service providers, such as fund administrators, that process data for funds.
A number of service providers may be involved in addressing GDPR compliance, including fund administrators, fund directors, compliance consultants and U.S. and offshore legal counsel. You may have received information regarding GDPR from one or more of these service providers. These firms, as well as our firm, may be available for insight and advice on GDPR. In the upcoming week you should consider whether GDPR applies to your firm and investor base. If it does, you should develop a plan to address GDPR’s compliance obligations.
If you have any questions or want to discuss options for navigating GDPR, please contact one of the attorneys in the Investment Funds & Advisers Group at Shartsis Friese LLP: John Broadhurst, Geoffrey Haynes, Carolyn Reiser, Jahan Raissi, Neil Koren, Jim Frolik, Christina Hamilton, Joan Grant, Lyn Roberts or David Suozzi.
Previous letters to our investment advisory clients and friends and discussions of other topics relevant to private fund managers, investment advisers and private investment funds can be found at our insights page: www.sflaw.com/blog/investment-funds-advisers-insights.