Private equity firms are being advised not to panic despite the rapidly approaching deadline for compliance with the European Union’s new data protection regime.
The General Data Protection Regulation will come into effect on 25 May 2018, bringing with it new penalties for non-compliance, including the threat of fines of up to 4 percent of total global annual turnover, or €20 million, whichever is the greater.
But while many firms have been preparing for the new legislation on the management of third-party data for as long as two years, those that are not yet fully prepared need not worry, according to Eduardo Usturan, partner and co-director of the global privacy and cybersecurity practice at law firm Hogan Lovells.
He says: “Many organisations are just starting to realise that this is going to affect them. The perceived lack of compliance with the forthcoming framework is stressful and paralysing at the same time. Those who have been preparing for it – many for the best part of two years – are also realising that the task is far from accomplished while the clock is ticking.”
Usturan advises firms not to get too hung up on the deadline. “It is crucial to appreciate that data protection compliance is not a race. The 25 May compliance deadline should be seen as more of a milestone in a long process, which will probably take years if not decades,” he says. “The right way forward requires pragmatism and patience, and firms must see the bigger picture and focus on getting the important things right. Being realistic is now of the essence.”
For private equity firms, the risks around GDPR compliance fall into two groups – those related to the fund level, and those related to portfolio businesses. At the fund level, all those that are EU-based need to review the way they handle and store employee data, data that they hold on investors, on portfolio companies, and on the management of portfolio companies. For non EU-based fund managers, there is less exposure on the employee side and on a day-to-day basis, but those that hold investments in the EU or solicit investments from EU investors must also be aware of the implications of the new law.
At the portfolio company level, the GDPR risks vary according to the nature of each company’s operations, depending on what kind of data they hold, on what basis, and what they do with it. Most exposed are companies that regularly deal with sensitive personal data, such as healthcare firms, or those companies that serve minors or process criminal records and the like. Businesses that hold large volumes of data can also be in the high-risk category, such as social media platforms or those running client relationships management systems.
There is a new possibility that data protection regulators might directly fine buyout firms for the failures of portfolio companies, although lawyers say it is not clear how big a risk this might be.
Jane Shvets, a partner in the cybersecurity and data privacy practice at the law firm Debevoise & Plimpton, says: “Generally speaking, funds should not be on the hook for GDPR problems at portfolio company level, but that does depend on what the issues are and the potential ramifications. Certainly if businesses find themselves dealing with significant data breaches or GDPR non-compliance issues, that could have a considerable impact on the business and implications on exit. So funds should pay attention to GDPR compliance at portfolio level, especially for higher-risk investments.”
The key thing is for fund managers to ensure that GDPR is on the agenda for management teams, that robust privacy programmes are in place, and that GDPR analysis has been done. Some managers are more hands-on than others, according to Shvets, with some going so far as to offer guidance and training to management teams. “What you don’t want to do is essentially take over responsibility for GDPR compliance,” she adds. “You want to make sure it’s clearly the responsibility of the management to ensure compliance and give them help without assuming responsibility.”
In terms of how to prioritise what needs to be done to ensure compliance, Usturan says the immediate things to look at are revisions to privacy notices and data processing agreements.
He adds: “Building a comprehensive framework of internal policies, developing a workable system of data protection impact assessments, appointing a pragmatic data protection officer, preparing for cybersecurity breaches, tightening vendor agreements and legitimising international data flows should also be a key focus.”
Shvets says she does believe the majority of private equity firms are on the case, if not yet ready.
“Among those firms that we see, who have considered how GDPR applies to their business, most have taken at least some steps to ensure compliance, and that tends to mean reviewing privacy notices online and in agreements with investors, reviewing employment policies, and making sure that framework is in place. They are also reaching out to their portfolio companies,” she says. “Where more work certainly needs to be done is in relation to breach notifications.”
GDPR requires that companies notify relevant authorities of data breaches that impact the privacy of EU individuals within 72 hours of discovery, and being in a position to do that requires policies and procedures for detecting breaches and intrusions, escalating that information to relevant individuals, and then taking decisions on the need to report.
“The reality is that very few organisations will be truly and fully compliant with the GDPR when the time comes. Because the GDPR involves such a complex set of concepts, principles, rights and rules, misinterpretations are rife,” Usturan adds.
“I have witnessed the mammoth efforts being made by many to try and meet the requirements of the new law, but as the deadline for compliance approaches, the level of anxiety is only set to increase.”