Private equity firms may not consider themselves data-heavy organisations and so data protection compliance may not seem a priority. Nevertheless, there are growing quantities of investor data held within the fund structure, often comprising the personal data of individual directors, which are subject to privacy laws.
Data breaches and non-compliance with privacy laws have resulted in costly penalties, with the maximum fine in the EU and UK being 4 percent of annual worldwide turnover. Moreover, individual claims for data breaches are increasingly being brought to the courts.
The applicability of privacy laws will depend on where the funds are established and where they are targeting their operations. For UK and EU organisations, there is some basic housekeeping that can assist in complying with data protection laws. Similar concepts exist around the world where there is an established privacy legal framework.
Identify the controller
Responsibilities for compliance with UK and EU data protection laws under the General Data Protection Regulation predominantly rest with the “controller”, which is defined as a “body which, alone or jointly with others, determines the purposes and means of the processing of personal data”.
Typically, GPs will be controllers of personal data through the fund itself, but the manager may also be a controller or a joint controller. Moreover, while it is useful to document roles in the fund structure documentation, the analysis of the role of controller is one based on fact, rather than contract.
Understand your data
Accountability requirements in the GDPR oblige controllers to understand the data they have, the lawful basis on which they process it and the disclosures that are made. A controller GP will need to document records of processing, as well as policies and procedures on how data protection laws are complied with in practice.
The GDPR prescribes that data subjects must be informed about how their data is processed and about any third-party disclosures. This covers any director information obtained from investors or personal data processed by the fund in connection with a target. GPs therefore need to think about how to communicate this information to the data subjects.
Keep as minimal data as necessary with appropriate security
The more headline-grabbing fines from regulators are from breaches of security that have resulted in losses of data. The GDPR obliges controllers to hold personal data only where necessary, delete it when it is no longer needed and ensure appropriate security is in place to mitigate the risk of security breaches.
Funds may also incorporate contractual provisions relating to the protection of confidential information and personal data in the limited partnership agreement and subscription agreement between the investor and the fund.
In storage, where possible, personal data may be irreversibly anonymised, which will render it no longer “personal data” and no longer subject to the GDPR.