On May 25, the European Union’s General Data Protection Regulation (GDPR) goes into effect. GDPR poses significant challenges for private equity firms and their portfolio companies that process personal data belonging to EU residents, including severe non-compliance penalties of up to 4% of a firm’s global revenues.
Many firms have already taken steps to meet their GDPR compliance, but others are just becoming aware that their personal data processing activities have GDPR implications.
8-Step Game Plan to Comply with GDPR
To prepare for the May 25 compliance date, here are eight steps your firm should take to comply with GDPR requirements.
- Determine if GDPR applies to your firm – GDPR applies to firms that operate within the EU, offer goods or services to EU residents, or monitor the activity of EU residents. If your firm stores, processes, or transmits the personal data of EU residents, it’s safe to assume that GDPR applies to your firm. Personal data is broadly defined as “any information related to a data subject that can be used to identify the person, ” including data elements such as first and last name, email address, bank details, and IP address, among others. GDPR also identifies special classifications of data that can increase your compliance obligations, including information related to racial or ethnic origin, political opinions, and health.
- Determine if your firm is a controller or processor – A controller decides the purpose for which data is processed while a processor processes data on behalf of the controller. Typically, a controller has greater responsibilities and must comply with all six principles of GDPR. A processor has more limited obligations under GDPR. A firm can be both a controller and a processor. For example, your firm would identify as a controller if you collect information on EU job applicants and as a processor if your firm offers services through an online platform that manages personal information on behalf of a third party.
- Build and maintain detailed personal data processing records – One of GDPR’s data protection principles is accountability, which requires firms to demonstrate compliance by maintaining records of their processing activities. These records must detail the categories of personal data processed, the purpose of processing the data, categories of recipients of that data, transfers of the data to non-European Economic Area (“EEA”) countries, retention periods, and, where feasible, a description of the technical and organizational safeguards your firm has implemented to protect the data.
- Map relevant data workflows – Although data flow maps are not required under GDPR, it is difficult to achieve compliance with GDPR’s many requirements without mapping the flow of personal data across your firm’s business processes. A data flow analysis can help identify your firm’s data risks and enable the implementation of controls to secure the personal data and effectively meet your GDPR compliance obligations.
- Conduct a governance and risk assessment – GDPR requires firms to undertake a holistic risk assessment across your organization to fully consider the key risk areas relating to the processing of personal data. In addition, your firm should review and update your existing privacy and information security policies and procedures for alignment with your firm’s GDPR requirements.
- Develop or update your incident response plan – To be in compliance with GDPR, firms must update their incident response plan to include breach notification requirements. For example, under GDPR, firms must report a qualifying breach to the appropriate Supervisory Authority within 72 hours of becoming aware of the breach. In addition, firms must implement measures to properly investigate and contain the breach as well as take steps to remediate the identified vulnerabilities.
- Train employees – A foundational component of an effective GDPR compliance program is a trained workforce. Firms should implement a training and awareness program that promotes privacy and data protection awareness among staff, including general GDPR training to employees who handle EU personal data, and, where appropriate, role-based training for individuals or groups that carry out specific functions such as vendor management, marketing, or product development.
- Identify vendors that act as data processors – Vendors that process personal data on behalf of your firm, such as payroll providers or cloud storage providers, are considered to be data processors under GDPR. Although GDPR holds vendors accountable for compliance obligations, your firm must still perform due diligence to verify that the vendor is capable of performing its duties in accordance with GDPR requirements. Your firm should ensure that appropriate contractual provisions, such as the right to audit, are in place with vendors that have access to EU personal data.
The following ACA resources are available to help your firm navigate the complexities of the GDPR regulation:
- Upcoming Webcast (2/27) - For a deep dive into GDPR compliance and what your firm needs to know for the May 25 deadline, join us on February 27 for our webcast GDPR: Preparing for the May 25 Deadline. Register here
- FAQs - ACA Aponix’s team of compliance professionals has assembled a GDPR FAQ for Investment Managers, which you can download here.
About the Author
Alex Scheinman is the Director of Privacy at ACA Aponix, the cybersecurity and IT risk division of ACA Compliance Group. In this role, he oversees ACA Aponix’s GDPR data processing reviews and data privacy. Prior to ACA, Alex served as a Privacy Manager in EY’s cyber practice. While at EY, Alex oversaw multinational privacy gap assessments for Fortune 100 and Fortune 500 companies against regulatory and industry frameworks including GDPR, PIPEDA, HIPAA, and COPPA.
Earlier in his career, he served as an adjunct professor at George Mason University teaching conflict analysis and resolution. Alex earned a B.A. in English from the University of Michigan, an M.A. in Literary Theory and Cultural Studies from Carnegie Mellon University, and a Ph.D. in Conflict Analysis and Resolution from George Mason University.