Regulatory Cyber Alert: GDPR Implications for U.S. Private Equity Fund Managers

May 11, 2018

ACA Aponix has observed that some U.S. private equity fund managers may be unaware of the implications of the European Union’s General Data Protection Regulation (GDPR), which goes into effect on May 25, 2018.

In many cases, U.S.-only PE managers have been advised that GDPR is out of scope, but there are important GDPR considerations related to the evaluation of potential deals and to portfolio companies. Despite not having offices in Europe, a U.S. PE manager may be required to sign a data protection addendum as part of a deal evaluation and/or as part of portfolio company oversight.

GDPR Implications via Potential Deals

If GDPR is properly complied with, the seller in an auction process will require that a Data Protection Addendum (DPA) be signed in addition to the standard NDA if the the seller is including European resident data in the data room (e.g., management compensation, HR census data, or even independent contractor information). In most cases, the deal room includes data implicated by GDPR for sellers with European offices. Thus the DPA is a requirement to gain access to these potential deals. A sample of what a deal room DPA might look like is available here.

The DPA will require that you, as a bidder, represent that you will act as a Data Processor within GDPR guidelines. Without implementing a GDPR compliance program, you likely will not be able to represent that you meet DPA requirements, which may preclude you from accessing potential deals.

GDPR Implications via Existing Portfolio Companies

Private equity fund managers that have existing portfolio companies with European operations/establishments may have GDPR implications through employee Director roles.

The Board of Directors often receives GDPR-implicated data, such as compensation data, and sometimes even data considered “special category” under GDPR, such as union membership. Director-level data is often shared with the broader deal team. The Directors and PE owner could be forced to sign a DPA, similar to that noted above for potential deals, and that would pass down GDPR compliance requirements to the PE manager. Depending on the circumstances, you may want to execute a DPA between your fund(s) and your adviser entities to cover data exchange with all portfolio companies.

Portfolio companies themselves should implement GDPR requirements if implicated. Given the fines of up to 4% of global revenues or 20mm Euros (whichever is higher), this is a significant investment risk to consider, and something the SEC may consider a material risk to end-investor assets. Many PE managers have undertaken portfolio sweeps to determine where the various portfolio companies stand with their implementation of GDPR compliance.

ACA Guidance

U.S. private equity fund managers that are considering a European company as a potential acquisition target, or that have portfolio companies with European operations, should take steps to assess their GDPR implications.

GDPR Resources

The following ACA resources are available to help your firm navigate the complexities of GDPR:

How ACA Can Help

ACA Aponix provides the following services for assisting with GDPR compliance:

  • GDPR Data Processing Reviews and Compliance Readiness — Our team of experienced consultants will review your firm’s personal data processing activities to build a data inventory, identify risks and gaps relative to the requirements of GDPR and assist with building a practical action plan to address deficiencies.
  • M&A Advisory Services — We provide pre-deal cybersecurity assessments of prospective portfolio companies to help you determine cybersecurity risks at the onset, negotiate better deals, and align risks with the investment thesis.

For More Information

For additional information or assistance in assessing your GDPR risk, implementing a GDPR compliance program, or reviewing GDPR risk across your portfolio, contact Matt Maurer at