The GDPR, or the General Data Protection Regulation, is a new EU data privacy law that comes into force on 25 May 2018. The GDPR is intended to provide a single harmonized data privacy law that applies across the EU. It applies not only within the territories of EU, but also more broadly to any firm that is “offering goods or services” into the EU, or is monitoring the behavior of EU residents.
The GDPR imposes many new data protection requirements on the collection, use, and disclosure of personal data, which are relevant to VC and PE firms, and imposes significant fines of up to 4% of annual worldwide turnover or up to €20 million.
Since our team at Zapflow has been putting a lot of effort into finalizing our own GDPR compliance, we decided to share our insights related to the new privacy regulation and its impact on VC and PE industries. While we are not legal or IT consultants or advisors, we know quite a lot about the inner workings of PE and VC firms, as well as their investment processes. Therefore, we’ve decided to gather information relating to GDPR and present it from more of an operational or business perspective, which is targeting specifically this industry.
This in-depth report covers quite a lot of ground, but don’t take it as an ultimate resource. Instead, our aim was to introduce and analyze key elements and implications of the regulation. We came up with a model of 5 GDPR forces influencing PE and VC firms. Such an approach allows us to break down the impact of the regulation on the firms.
In any case, we need to start with a little bit more background, before we dive deeper into our analysis. Feel free to skim through the next two sections if you’re already familiar with the topic. Otherwise, it is well worth reading the whole text so that you don’t miss any important points.
GDPR – what is it and why is it important for VC and PE firms?
The scope of the GDPR is broad and covers any information that can be linked to an identifiable individual (such as search-engine entries, employee authentication, payment transactions, closed-circuit-television footage, and visitor logs to name just a few) in any format (structured or unstructured) and in any medium (online, offline, or backup storage). The regulation introduces stringent consent requirements, data-subject rights, and obligations on organizations that gather, control, and process data.
Firms in the private equity and venture capital have considerable amounts of personal data they use in their day to day operations. The data relating to employees, investors or other individuals, for example, within portfolio companies, borrowers and debtors, will render the GDPR as very relevant to firms that have European based businesses and European investors.
The GDPR is also tighter with respect to data breach notification than most of the existing regulation globally. The 72-hour deadline to notify a privacy regulator in the EU in case of a data breach, which has essentially a material risk of harm to individuals, is very tight. Where there is a likely high risk of adverse effects, the firm may also have to communicate the breach to the affected individuals. Hence, the regulation amplifies the potential negative effects of data breaches and cyber-attacks on VC and PE firm’s reputation.
At the same time, the industry has been relatively slow to implement the changes. Several recent studies found that only a small fraction of funds are ready.
- According to findings from a Cordium and AmberGate survey (April 2018), more than half of investment firms are unlikely to be ready for the GDPR. [http://pages.cordium.com/rs/442-FQH-411/images/GDPR-Benchmark-Survey_April-2018.pdf]
- According to February 2018 Hedge Fund and PE Perception of Risk study by Koger, the majority (91%) of asset managers have taken at least some steps to comply with the GDPR. Yet only half have conducted training with employees involved in data collection and processing, and just 18% have set company policies to destroy outdated client data, as mandated by the regulation. [http://www.kogerusa.com/new-study-on-hedge-fund]
Key concepts and definitions
Let’s start off by defining a couple of key terms that will come up throughout this article.
The GDPR categorizes all relevant entities in terms of two different categories:
- data processors and
- data controllers.
Most fund managers will be categorized as data controllers. A data controller is a body (alone or jointly with others) that determines the purposes and means of the processing of personal data and typically uses it for any commercial purpose.
Personal data is defined very broadly. It is any information that could be used to identify a human being. This includes - just naming a few - name, date of birth, address, employee identification number or other location data. It’s a broader set of identifiers than would typically be considered PII, or personal identifying information, under existing US law.
Data processors are entities that do something with personal data in connection with providing a service to a data controller. Processing activity can include collecting, organizing, storing, disclosing, using, etc. Some examples of data processors are fund administrators who are doing AML (Anti-Money Laundering) and KYC (Know Your Customer) types of reviews, CRM, deal flow management systems, payroll processors, accountants and IT providers.
If a fund is based in EU and operates only or primarily there, it will be covered by the GDPR. Period.
For funds based outside of the EU the relevance of the new regulation might still be high. Let’s look at two of the most relevant ways in which a fund might still fall under the scope of the regulation, even if its head office is not within the territorial limits of the EU.
- Establishment in the EU - An EU-registered fund or a fund manager would, of course, count as an establishment, or even a representative office of a foreign-based manager would count as an establishment. Essentially, if a fund has some kind of brick and mortar presence in the EU, then it will very likely be covered by GDPR.
- Offering goods or services into the EU - If a fund runs an intentional and systematic marketing to EU-based investors (irrespectively, whether these are individual investors or institutional investors) it already qualifies as a subject to the GDPR.
Principles for data protection
The GDPR requires data controllers to be responsible for and be able to demonstrate compliance with the seven GDPR principles relating to the processing of personal data. Below you can see a list of these principles and some further details on each.
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality
Lawfulness, fairness and transparency
Data should be processed only when there is a lawful basis for such processing. Out of six legal grounds listed in the regulation three seem most relevant for VC and PE firms. These lawful grounds for processing are:
- where necessary to accomplish legitimate interests pursued by the firm or by third parties;
- where consent from the private individuals has been obtained; and
- where necessary to comply with an EU or Member State law.
The legitimate interest ground will require the firm assessing that its legitimate business interests do not take away privacy rights of private individuals. Specifically, the firm would need to objectively assess whether the purposes for which the personal data are being processed are valid. Moreover, such purposes could only be achieved by processing of the data.
What is important to note here is that under the GDPR individuals have a right to object to processing based on legitimate interests. If they do, the firm must cease processing unless it can demonstrate a strong case not to.
If the consent is used as a lawful basis for processing, then it must be freely given and informed. This means that the private individuals must have a real choice as to whether to give consent or not. Furthermore, individuals can withdraw their consent at any time. Consequently, if possible, VC and PE firms should consider relying on legitimate interest as basis for processing to simplify their operations.
In relation to the legal ground of where it is necessary to comply with an EU or Member State law, it does not have to be an explicit statutory obligation, as long as the application of the law is foreseeable to those private individuals subject to it. This legal ground could be helpful to firms where the processing of the personal data is required to comply with EU regulatory requirements, such as carrying out anti-money laundering checks on investors.
The requirement to process personal data “fairly” is extensive. It places an obligation on firms to inform private individuals of certain information regarding how their data is processed (for example, the purposes of the processing, the identity of the controller, the recipients of the data and their data privacy rights.
Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Any further processing is not permitted unless the private individual has consented to the new purpose.
However, there are exceptions to this purpose limitation principle. The most relevant exception is processing for statistical purposes, which is not considered “incompatible”.
The GDPR requires that personal data must be adequate, relevant, and limited to those which are necessary in relation to the purposes for which they are processed. There should be no data collected because “it might be useful later” or “just in case”.
Under the GDPR, Personal Data should be accurate and, where necessary, kept up to date.
In fact, there are no exemptions to this principle and firms should consider whether they have appropriate mechanisms to check accuracy and ensure private individual have an opportunity to update their personal data, e.g. an annual audit of employee information.
Personal data must be kept in a form which permits identification of private individuals for no longer than is necessary for the purposes that were originally used as grounds for processing. Consequently, the indefinite retention of personal data is not recommended.
Integrity and confidentiality
The GDPR requires that personal data must be processed in a manner that ensures appropriate security of the personal data. This includes protection against unauthorized or unlawful processing and against accidental loss, destruction or damage. Firms should use appropriate technical and organizational measures to address these issues (more on this topic in Vendors, other third parties and cyber security).
The data controllers are required to “implement appropriate technical and organizational measures to ensure and be able to demonstrate that data processing is performed in accordance with the GDPR”. In practice, this means that data protection should be embedded in the business.
The regulation specifies that firms should implement appropriate data protection policies in relation to personal data processing activities. However, implementing such policies alone will not achieve compliance with the accountability obligation. Instead, firms will be required to implement a range of measures as needed to ensure compliance with all their obligations under the GDPR. More on that in the Internal processes and employees subsection.
In any case, organizations with 250 or more employees should maintain a record of data-processing activities and be ready to present it to the regulator at any time. The GDPR requires that records are kept in writing.
The data privacy rights of individuals under the GDPR are extensive. This is in line with one of the key intentions of the GDPR, to “put individuals in control of their data”. As a result, VC and PE firms may find themselves subject to request from, for example, their employees, investors or portfolio company employees who want to exercise their privacy rights. Firms should determine and document in advance how best to manage and respond to a request to exercise such privacy rights.
The GDPR provides the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
The right to be informed
Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.
VC or PE fund managers, or any other company for that matter, must provide individuals with information including: the purposes for processing their personal data, the retention periods for that personal data, and who it will be shared with. This is commonly referred to as “privacy information".
Firms must provide privacy information to individuals at the time it is collected.
The information provided to people must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language. It is acceptable to provide information using a combination of different techniques.
The right of access
Individuals have the right to access their personal data and supplementary information. These primarily include confirmation that their data is being processed and access to their personal data.
The right of access allows individuals to be aware of and verify the lawfulness of the processing.
The right to rectification
Individuals have the right to have inaccurate or outdated personal data rectified. An individual may also be able to have incomplete personal data completed.
An individual can make a request for rectification verbally or in writing. The firms have one calendar month to respond to a request. In certain circumstances it is acceptable to refuse a request for rectification.
Overall, rectification right is closely linked to the controller’s obligations under the accuracy principle of the GDPR.
The right to erasure
Individuals have the right to have personal data erased. This is also known as the “right to be forgotten”. The right is not absolute and only applies in certain circumstances.
Individuals have the right to have their personal data erased if (list include points most relevant for PE and VC firms):
- the personal data is no longer necessary to meet the original purpose or the required processing;
- they withdraw their consent which was originally given and served as a lawful basis for holding it;
- the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
- it is processed for direct marketing purposes and the individual objects to that processing.
Individuals can make a request for erasure verbally or in writing, and the firms have one month to respond to a request.
The right to restrict processing
The GDPR gives individuals the right to restrict the processing of their personal data. This means that an individual can limit the way that an organization uses their data. This is an alternative to requesting the erasure of their data.
An individual can make a request for restriction verbally or in writing, and the firms have one calendar month to respond to a request.
The right to data portability
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy, or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
The right to data portability only applies to personal data an individual has provided to a controller, where the processing is based on the individual’s consent or for the performance of a contract, and when processing is carried out by automated means. Therefore, the applicability of this right for PE and VC funds might be more limited. Still it might be very relevant for portfolio companies.
In any case, data controllers must provide the personal data in a structured, commonly used, and machine-readable form. Machine readable means that the information is structured so that software can extract specific elements of the data. This enables other organizations to use the data.
The information must be provided free of charge.
The right to object
Individuals have the right to object to processing based on legitimate interests, the performance of a task related to direct marketing, or processing for purposes of statistics. Individuals must have an objection on “grounds relating to his or her particular situation”.
Individuals must be informed of their right to object “at the point of first communication” and in privacy notice.
Rights in relation to automated decision making and profiling.
The GDPR has provisions on and applies to automated individual decision-making (making a decision solely by automated means without any human involvement) and profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.
Automated individual decision-making is a decision made by automated means without any human involvement. Examples of this include:
- an online decision to award a loan; and
- a recruitment aptitude test which uses pre-programmed algorithms and criteria.
Automated individual decision-making does not have to involve profiling, though it often does.
The GDPR says that profiling is:
“Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.”
Firms must identify whether any of their processing falls under automated decision making or profiling and, if so, make sure that they:
- give individuals information about the processing;
- introduce simple ways for them to request human intervention or challenge a decision;
- carry out regular checks to make sure that their systems are working as intended.
5 forces of GDPR impacting VC and PE firms
Now that we’ve covered the basic concepts and definitions related to the GDPR, it is time to break down the impact of the regulation on VC and PE firms. After thinking about how to present it best to make it easier to follow and to make it more practical, we arrived at “GDPR model of 5 forces for PE and VC firms”.
Investors, fundraising and marketing
The GDPR might impact relationships between fund managers and investors in several ways. The most prominent ones are within communication and marketing activities. At the same time, the GDPR can spur some managers to have a fresh look at their compliance and IT security, which can impact how they position their firms against competing funds.
On a higher level, fund managers, when dealing with investors, are typically rather cautious not to raise flags about new potential risk areas and regulations that require compliance. Nevertheless, they need to be ready to respond to any queries from the investors in relation to this topic. Therefore, it currently seems to be a bit of a balancing act. In any case, GPs risk their reputation, if they don’t have convincing answers related to their approach to GDPR compliance. Hence, it is a serious topic.
Based on our research, many fund managers are currently working with their attorneys to get fundamental understanding of the requirements of the new law. This way, they can apply the selected approach across all the mediums of interaction with the investors.
Personal data of the investors is handled not only by the employees, but also is transferred to third parties (such as data rooms). Consequently, employee training and contract updates are important ways in which fund managers (plan to) adjust to the new regulation.
GDPR and marketing activities of non-EU fund
The GDPR is covering funds which are marketing in EU. The key to determining whether a non-EU VC or PE fund is offering services to investors in the EU is the business’ intention, and whether it is apparent that an offer to individuals located in the EU was “envisaged”. The list below shows examples of activities that are likely to qualify as targeting EU investors:
- marketing materials are in a European language other than the local language of the firm;
- Euro denominated fund offerings;
- or using references to investors based in EU to promote services.
It is important to note that the GDPR is not retroactive, which means that past activities (such as marketing to EU-based investors in the past) do not make firms automatically subject to the new regulation. The determining factor are the activities going-forward. However, if a firm finds itself within the scope of the GDPR, it needs to be compliant with all its past and new data. This applies to personal data of current investors who existed before May 25, 2018.
Portfolio companies and the investment life cycle
The GDPR will have a potentially tremendous effect on the portfolio companies of PE and VC funds. Furthermore, it will also likely impact the process of dealing with the portfolio companies throughout the full investment life cycle. However, it is not all doom and gloom, as the new regulation will also create business opportunities, and for some companies, might enable creation of competitive advantage and differentiation.
In this section, we break down the lifecycle of a portfolio company into stages and look at how the GDPR might impact the companies and fund manager at each step.
Thinking about the universe of the investment targets at pre-investment and pre-DD phase, the GDPR is unlikely to have any major impact on the approach of majority of the PE and VC firms. At least in the early days after the new regulation enters into force, fund managers should expect their potential targets to be non compliant.
An SAS survey from April 2018 [https://www.prnewswire.com/news-releases/survey-only-7-percent-of-businesses-gdpr-compliant-as-deadline-looms-data-privacy-gains-prominence-300635209.html] found that 93% of the respondents were not fully compliant. Multiple other studies find similar results. While this situation might change over time, at this point it clearly has implications later in the life cycle of the investment targets.
However, for certain industries, and likely for some VCs, the GDPR might be more relevant already at this stage. There are two sides of the coin.
On the positive side, the new regulation creates a stronger need for various companies to use third party service providers that enable or facilitate compliance. This creates new business opportunities, which can be capitalized on by potential investment targets.
Two examples of new business opportunities are data flow mapping and data inventory tools. Both of these were popular among Deloitte’s GDPR Benchmarking Survey [https://www2.deloitte.com/global/en/pages/risk/articles/deloitte-gdpr-benchmarking-survey-the-time-is-now.html] respondents – 40% of them indicated that they are “definitely considering” such tools.
Furthermore, the GDPR will impact the way customer relations are managed. Many existing businesses aren’t well prepared for asking for customer consent to process their personal data, leaving room for start-ups with innovative ideas and innovative business models around managing the customer relationships.
Also, the introduction of the regulation might result in more room for paid services. In many cases, customers will need to consciously give companies consent for personal data processing and per purpose. Consequently, they will understand better what they “pay” currently, in terms of giving away their data, for a “free” service. Once they do that, there might be more customers that choose an option where they pay with money to increase privacy of their data. Thus, direct monetization might become more viable for some services that currently need to rely on advertisements.
On the negative side, leveraging alternative data and profiling will be more challenging. In fact, 49% of respondents in SAS global cross-industry survey said that GDPR will affect their artificial intelligence programs. This might hinder growth of some companies that can’t generate enough revenue before reaching very high number of users.
“The DD phase has to change,” says Reggie Rusan, founder of SimpleTec Solutions, a consultancy firm helping small and medium enterprises become GDPR compliant. He adds, “The investors need to understand whether their investment targets are GDPR compliant or have plans to become compliant. The cost projections going forward need to reflect not only the initial investment related to GDPR, but also ongoing operational costs. These are two big things that investors need to look at in the DD phase.”
The GDPR compliance is not, however, the only compliance and risk element that is considered in the DD. Looking more broadly, it fits well into overall analysis of compliance and IT risks. In fact, a 2017 survey [https://www.cynation.com/cyber-risks-an-increasing-concern-for-private-equity-and-venture-capital/] found that 65% of PE and VC investors considered cyber security and compliance of high importance in their DD process. Another 18% claimed that it is a critical element of their DD.
In practice, the scope of the GDPR implementation needs identified during DD must be aligned with business objectives. This means that VC and PE firms need to not only understand the legal requirements, but also define what risks the potential portfolio company should be willing to accept, and what value it targets to extract from the compliance program. These will drive the implementation schedule and the budget.
Specifically, for technology and web-based businesses the GDPR DD might be of critical importance. Websites that use tracking cookies and apps that track usage are very likely to fall within the scope of the new regulation. Also, more broadly, businesses that “track” individuals in the EU for the purposes of creating profiles in order to analyze or predict personal preference, behaviors, and attitudes are covered under the GDPR.
Portfolio company growth
For any portfolio company that is within the scope of the regulation there is an opportunity to benefit from the changes required under the GDPR. The two approaches that we’ve identified include:
- leveraging the GDPR compliance implementation to increase capabilities of the business and
- using the GDPR compliance as a differentiator and a competitive advantage.
The GDPR implementation program can be an opportunity for a portfolio company to embark on a wider data transformation that will benefit the whole business. One example is taking advantage of the program to reengineer a master data-management platform of a business, so that all parts of the organization have a complete picture of all personal and other data on any given customer. Other example we came across was a company using GDPR-inspired reforms as an opportunity to build greater flexibility into their data platforms. This resulted in not only in compliance with the new provisions, but also allowed them to respond more readily to future regulatory changes. Such approaches leverage the GDPR implementation budget to gain wider business benefits.
To take it even a step further, GDPR as a competitive advantage is an example of abundance mentality approach to the problem. It is not a surprise that half of the chief information security officers working for major companies and surveyed by McKinsey & Company in mid-2017 [https://www.mckinsey.com/business-functions/risk/our-insights/tackling-gdpr-compliance-before-time-runs-out] regarded GDPR as primarily a hindrance to their business. Undoubtedly, the regulation will impose a burden on their organizations. Many companies are likely focusing on limiting any negative impacts the GDPR might have on them.
However, precisely because of this dominating negative attitude towards the regulation, there is an opportunity for companies in most industries to stand out and build a long-term competitive advantage. A well-conceived GDPR implementation program can help an organization to improve customer relationships and trust, as well as improve internal data handling, control, and availability.
According to Reggie Rusan, “[Most companies] still have the opportunity to be first in their market space to become GDPR compliant. Even if they are not 1st they should make GDPR compliance part of their brand, because it builds trust with the customers and effectively can make GDPR a competitive advantage.”
Clearly, lack of documentation of compliance with key privacy requirements may lead to a lower valuation of the company if the buyer perceives that there is a privacy risk. Based on our research, it seems that, especially in PE deals, an increasing number of firms on the sell side are using an external privacy due diligence provider with the objective to eliminate unnecessary non-compliance through which to increase the deal value.
Let’s step back for a moment and look at the relationship between valuation and the GDPR from several perspectives.
Target companies with an outlined personal data strategy may be easier to value for potential buyers. The buyers are also likely to appreciate that they will not have to implement a new privacy strategy and adequate legal framework post-closing of the transaction, which often is expensive, time consuming, and challenging to implement successfully. These points are definitely valid when we look at the target company on a stand-alone basis.
However, many transactions are driven by the buyer's appetite for the value represented by the target company's possession of large quantities of personal data, and the idea that the buyer will be able to further capitalize on this information. This means that the purpose for which the information is used will most likely change. If we recall the principles of data protection, GDPR, in many cases, mandates consent per purpose, which must be given unambiguously and informed. It can also be revoked at any point in time. In this situation, it is likely that a new consent must be given. That is the moment where many customers might refuse their consent.
The number of customers lost in such transition will depend on the amount of data collected, the purpose and the balance between these, and the value of the service to the customers. Overall, the price for consent will clearly increase. When we add the increasing uncertainty regarding the sustainability of consumer relations, it is clear that the GDPR might impact the valuation.
Specifically, for startup valuation, the uncertainty related to post-exit user retention might negatively impact valuations of pre-revenue and early stage companies. This will apply most to companies which are developing solutions heavily reliant on personal data.
The GDPR creates new requirements and highlights the importance of dealing with personal data and how it is handled, transferred and processed externally. The global nature of the private equity and venture capital industry means that firms will routinely share personal data with investors, administrators, fund managers, vendors, other third parties and regulators including transfers outside of the EU. These transfers must be compliant with GDPR. The GDPR will apply to both one-off decisions to share personal data and the routine sharing (intra-group or with third-parties).
Looking at PE and VC firms from this perspective, we have identified several ways in which the new regulation might impact the operations and processes of the firms. We first discuss how the GDPR might influence firms’ relationships with third-party vendors. After that, we touch on cybersecurity, sensitive personal data, international transfers, and we cover more practical steps related to personal data sharing.
According to the GDPR, firms must ensure that any third-party vendors who process personal data of the firms comply with appropriate security requirements to fulfil the integrity principle.
Firms should ensure that vendors they appoint are bound by written GDPR-compliant data processing terms, which include (among other things):
- only processing data on the instructions from the controller (most likely the fund manager);
- implementing appropriate technical and organizational security measures;
- notifying the controller of any personal data breach without undue delay;
- allowing the controller to conduct audits of the vendor’s compliance; and
- only appointing its own vendors upon notice to the controller.
A good practice for firms is to ensure that when selecting new vendors, they ask for completing a vendor questionnaire, which includes an information security assessment.
Attendees of a February 2017 seminar [https://www.cynation.com/cyber-risks-an-increasing-concern-for-private-equity-and-venture-capital] on impacts of cyber challenges on PE and VC firms confirmed that cyber resilience is a major concern. In fact, 53% stated that they are either worried or not confident about their fund’s cyber resilience. Another 38% didn’t know the status. GDPR might be a wake-up call for many managers.
Overall, the GDPR does not impose prescriptive data security measures, but rather emphasizes a risk-based approach to compliance. The GDPR obliges data controllers and processors to “implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk”. This means that firms and their vendors can tailor their approach according to the nature of the activities and the types of personal data that are being processed.
Firms should assume that when processing sensitive personal data, the risks involved are higher as compared to where the organization is processing “more regular” personal data. The security measures should then be implemented to mitigate such risks, considering the “state of the art, [and] the costs of implementation”.
While the GDPR doesn’t impose any solution, it suggests various technical and organizational measures that may be considered appropriate to implement in order to comply with the GDPR’s information security requirements. These include:
- The pseudonymization and encryption of personal data;
- The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing (for example an audit process).
Sensitive personal data and international transfers
The new regulation sets a higher bar for firms to meet in order to justify the processing and sharing of sensitive personal data. Such data can only be shared if one of a limited number of legal grounds are satisfied. The most relevant legal grounds for VC and PE firms include:
- receipt of explicit consent of the individuals to the sharing in question;
- requirements or exemptions set by law; or
- if the sharing is necessary for the establishment, exercise or defense of legal claims.
One relevant example of exception that might be set by national law relates to anti-money laundering checks. Some countries might require firms to process background checks and criminal conviction data to comply with anti-money laundering regulations.
Furthermore, the GDPR sets restrictions on the transfer of personal data to countries outside of the EU. The transfer of personal data to recipients outside the EU is generally prohibited unless:
- the jurisdiction in which the recipient is located is deemed to provide an adequate level of data protection;
- the data exporter puts in place appropriate safeguards; or
- a derogation or exemption applies.
To the extent that personal data are transferred from the EU to the US, firms should keep a watchful eye on the progress of the EU-US Privacy Shield.
Practical steps to take in relation to personal data sharing
Even though we are not experts in this field, we have put a lot of own preparations to make Zapflow GDPR compliant. Through this experience and further research, we have identified practical actions that could be considered by VC and PE firms to make sharing of personal data they process GDPR compliant.
To understand where personal data is going and why, firms should consider mapping all such data. This exercise should capture any data shared internally across the organization or externally with third-party vendors. It is likely to include at least some of these:
- Employee personal data – some international firms routinely share employee personal data (i.e. across a centralized HR system or payroll) across their offices;
- Investor personal data – it is likely to be shared between entities, for example, through CRM systems;
- Portfolio company employee data – background checks, resumes and compensation plans might be shared via data rooms or reporting systems; and
- Third-party vendors - passport information to KYC/AML vendors and IT service providers. Large, global vendors are likely to be located in third countries.
Firms should consider which of the current international data transfer approaches offer the most appropriate solution. Some firms might find that reliance on “adequate jurisdictions” or putting model contracts in place between group entities is sufficient.
Both data controllers and data processors are required by the GDPR to maintain a record of any transfers of personal data to a third country and details of what adequacy decision or international data transfer solution has been applied in respect of each transfer.
Some further steps a firm might take in relation data transfer compliance include:
- Checking if vendor contracts contain provisions which cover international transfers;
- Checking if privacy notices provided to all relevant individuals give information on any cross-border data transfers and the mechanism used to legalize such transfers;
- Monitoring new systems and business process to ensure appropriate data transfer solutions are taken into use.
While the GDPR places some requirements on formal processes, it also indirectly implies the need for a change in the employee training and even culture. These are ambitious goals for a regulation to have, especially given such a broad applicability of the new law.
PE and VC firms have multitude of ways to implement the compliance in practice. The firms that take more strategic approach, rather than just trying to tick the required boxes stand a chance to rip long-term benefits from the newly acquired adroitness. It will make them more futureproof in terms of regulatory changes and might help them attract more LPs.
In this section we cover what, in our understanding, represents more of strategic approach to GDPR compliance implementation, and discuss some of the key ideas behind Data Protection Officer (DPO) and Data Protection Impact Assessment (DPIA).
Strategic approach and privacy by default and design
The GDPR is just one of many laws that firms are complying with. Therefore, coordinating actions across different compliance programs is a much more intelligent and strategic approach. This applies to the implementation plans, as well as to ongoing compliance. Such method helps to avoid duplicating the efforts across each regulation and restarting the wheel every time something new turns up.
Every firm has a specific situation and different regulation that they might fall under. However, looking at the core of the requirements, a serious and coordinated way of dealing with cybersecurity, data and vendor management, as well as, transparency and privacy will build foundations required. Once that is in place the technicalities of complying will be much easier, as opposed to targeting specific laws with internal policies.
Going forward, data privacy and protection issues should be considered by firms at the outset of developing new systems and processes. It will also be important for firms to consider how compliance may be incorporated into new systems (for example, how firms will comply with the right to erasure or the data portability requirements).
The GDPR comes with privacy by design and by default, as handy tools to make compliance a natural outcome of new process, system, or service development. These concepts “aim at building privacy and data protection into the design specifications and architecture of information and communication systems and technologies” and ensuring that firms consider data privacy issues throughout the lifecycle. The GDPR provides that data minimization applies to not only the amount of data collected, but also the “extent of their processing, the period of their storage and their accessibility”.
Also, taking a privacy by design approach offers the potential to identify problems at an early stage of development. Consequently, firms can save costs and take corrective actions to steer the development towards outcome that is compliant with the regulation.
Overall, such strategic and coordinated approach has the potential to really drive the firms’ long-term access to capital. Ultimately, LPs are not experts in the compliance and cybersecurity topics, thus when considering investing in the funds, or maintaining an investment in the fund, they might use specialized due diligence professionals. When equipped with such expertise, a lot of LPs are no longer accepting minimum compliance as good enough. What they want to see is managers being proactive with addressing these issues. Firms going above and beyond the bare minimum compliance are likely to stand out.
Data Protection Officer (DPO)
Not every firm is required to have a DPO under GDPR. The most relevant trigger for PE and VC firms is if the firms are “engaging in the regular and systematic monitoring of data subjects on a large scale.” Thus, it’s possible that this requirement may not apply to many firms, even if they otherwise are subject to the GDPR. Nevertheless, it might be useful for many firms to have a DPO or a DPO-like person.
DPO should be “involved, properly and in a timely manner, in all issues which relate to the protection of personal data”. Furthermore, the regulation specifies the following requirements in relation to DPO role:
- the DPO must be independent – the DPO can hold another position but must be free from a conflict of interest. The head of Marketing, IT or HR might have such a conflict as these roles determined the purposes and means of data processing;
- the business must ensure the DPO exercises its functions independently and reports to the highest level of management;
- the business must not dismiss or penalize the DPO for performance of its tasks;
- the level of expertise required of the DPO must be in line with the sensitivity, complexity and amount of data processed;
- the DPO must have expertise in national and European data protection laws and practices including an in-depth understanding of the GDPR; and
- the personal qualities of a DPO should include integrity and high professional ethics – the DPO’s primary concern should be enabling compliance with the GDPR.
Many firms will naturally consider assigning the title of the DPO to Chief Compliance Officer (CCO), if they have one. This is acceptable if the CCO has bandwidth and resources to carry out the new responsibilities. CCOs are often busy people and they’re not necessarily involved with all the operational issues. Thus, having the appropriate resources, internally, whether that’s a deputy person, or externally, via a service contract with an individual or an organization are some of the ways to tackle this issue.
What is important to note is that, while the role can be outsourced, the responsibility ultimately stays with the firm. Therefore, it is not a surprise that regulators have criticized firms that just try to completely outsource that responsibility because they can’t.
Data Protection Impact Assessment (DPIA)
The GDPR sets out the requirement to carry out a data protection impact assessment (DPIA) in situations where personal data processing uses new technologies and is likely to result in a high risk for private individuals. This could be relevant to certain firm which carry out activities such as extensive monitoring of its employees (for example, video surveillance or other public monitoring).
If the firm has appointed a Data Protection Officer (DPO), the firm should seek the advice of that officer when carrying out the data protection impact assessment. A DPIA involves balancing the interests of the firm against those of the private individuals.
Typically, such an impact assessment should contain as a minimum:
- A description of the processing operations and the purposes;
- An assessment of the necessity and proportionality of the processing in relation to the purpose;
- An assessment of the risks to private individuals; and
- The measures in place to address that risk.
Authorities and enforcement
The GDPR will be enforced via national supervisory authorities within the EU that are granted rather broad enforcement powers and sanctions. The fines for failure to comply will be high, reaching as much as 4 percent of annual worldwide revenues. The GDPR also allows individuals to seek civil actions (including class-action lawsuits) against organizations that violate their data-protection rights.
In this section we walk through several key topics for PE and VC firms. These include the concept of Lead Data Protection Authority, regulation enforcement, and what happens in case of violation of the regulation.
The GDPR employs a so called one-stop-shop mechanism for businesses when it comes to dealing with data protection authorities (DPA). In practice, this means that firms need to deal with only one lead DPA, which is in the same country as the main establishment of the firm. This should simplify any dialogue with authorities, especially if a firm operates in multiple EU countries.
In case a company doesn’t have an establishment in the EU the GDPR does not permit “forum shopping”. In such situation the firm must deal with DPAs in every EU Member State in which it is active.
DPAs under the GDPR regulation have two types of powers. These include:
- investigative powers (e.g. to carry out data protection audits) and
- corrective powers (e.g. to impose a temporary or definitive limitation, including a ban on data processing activities, and order the suspension of international data flows). DPAs also have the power to impose administrative fines.
In terms of fines, the GDPR utilizes a two-tier structure. The first tier is primarily concerned with functional, operational, or administrative infringements. Examples of these include infringements of the requirements around data protection by design and by default, data processing records, data security, and personal data breaches, DPOs and DPIAs. Fines in this category can range up to the greater of €10 million, or two percent of annual worldwide turnover.
The second tier relates to offenses related to infringements of the requirements around the data protection principles, data privacy rights, and international transfers. Fines in this category can reach up to the greater of €20 million, or four percent of annual worldwide turnover.
In any case, the administrative fines imposed should be effective, proportionate to the infringement, and discouraging of repetition.
Remedies for private individuals
The GDPR strengthens the remedies available to private individuals in the EU. In fact, the threshold to lodge a complaint with a DPA is relatively low. It is sufficient that an individual considers that the processing of his personal data does not comply with the provisions of the GDPR.
The regulation seems to indicate that any person who has suffered material or nonmaterial damage (financial and nonfinancial losses) because of an infringement of the GDPR may need to be compensated.
Personal data breaches and regulation violation
There’s been a lot of speculation in terms of how stringent the authorities are going to be with the enforcement, especially with respect to non-EU-based entities. At this point, it is difficult to predict. In any case, it is clear that authorities in many countries are hiring more staff to increase their capabilities to enforce the new regulation.
Also, it is likely that the DPAs will start with some low-hanging fruit examples of enforcement cases before moving on to more granular violations of the regulation.
Coming back to more a practical impact on day-to-day operations of PE and VC firms, if the security of personal data is compromised or breached, there is a risk of significant adverse effects on the firm, not to mention private individuals. Consequently, the new regulation requires personal data breaches to be reported to relevant DPAs.
The GDPR defines a personal data breach broadly as a “breach of security leading to the accidental or unlawful destruction, loss, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed”.
Data controllers faced with a personal data breach must notify the relevant DPA “without undue delay” and, where feasible, no later than 72 hours after the data controller becomes aware of the breach. The 72-hour deadline is a really tight timeframe to have to make any notification.
One way for firms to really prepare for such notification is to make sure that they have done some practicing. Such employee training can give them the sense of who would have to be involved, and what kinds of steps must be taken to be able to make a notification within that kind of tight deadline.
Where there is a likely high risk of adverse effects on the private individuals, the firm may also have to communicate the breach to the affected individuals. Processors must, without undue delay, notify all personal data breaches to the relevant controller (that is the firm).
The firms are exempted from notifying a personal data breach to the relevant DPAs if they can demonstrate that it is unlikely to result in a risk for the rights and freedoms of relevant private individuals.
The final point related to regulation violation that we’d like to make is that the GDPR introduces a form of joint liability between controllers and processors. The GDPR entitles the aggrieved individuals to obtain full compensation from either controller or processor, leaving it to that controller and processor to deal with the apportionment of liability.
Key references and further resources
- Official Journal of the European Union containing the GDPR legislation: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ%3AL%3A2016%3A119%3ATOC
- Final text of the GDPR neatly arranged to make it easier to read and browse: https://gdpr-info.eu/
- Guide to the GDPR by UK’s Information Commissioner’s Office: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
- Useful guides and checklists on GDPR-related topics by Taylor Wessing: https://united-kingdom.taylorwessing.com/en/gdpr/useful-guides
- Tackling GDPR compliance before time runs out by McKinsey & Company: https://www.mckinsey.com/business-functions/risk/our-insights/tackling-gdpr-compliance-before-time-runs-out#0
- Guide to GDPR for the funds industry by British Private Equity & Venture Capital Association [PDF]: https://www.sidley.com/-/media/publications/gdpr-guidemar18_web.pdf
- GDPR benchmark report – a view from the financial markets, a Cordium and AmberGate survey [PDF]: http://pages.cordium.com/rs/442-FQH-411/images/GDPR-Benchmark-Survey_April-2018.pdf