We recently issued a survey to investors, asking them if they have concerns over how their fund managers are handling their personal information in light of the General Data Protection Regulation (GDPR), a new rule that has the potential to wipe out fund managers if they don’t take data protection seriously. The findings were surprising.
GDPR is the EU’s attempt to provide a common framework for the use of personal data of European citizens. Local fund managers – as well as any fund manager handling European citizens’ personal data – will need to comply with the requirements when the rule goes into effect in May 2018.
A quarter of LPs surveyed revealed concern for their GPs’ non-compliance, which makes me think that, similar to issues around cybersecurity a few years ago, this issue won’t be just a ‘check-the-box’ exercise, and investors will start to ask more in-depth questions around it in the coming months.
The conversation is heating up; however – surprisingly – 79% of survey respondents said they had no concern for this topic. In our white paper, “The LP Blueprint: Insights on Alternative Investments,” which outlines the full details of the survey, we explain that, “LPs perhaps do not know exactly what questions to ask to be certain that GPs are making the necessary GDPR modifications. There could be a ‘blind trust’ element to the level of confidence being cited.”
Steps you can take to move towards compliance
GDPR poses challenges that are unique to AI/Private Equity businesses due to their use of SaaS-based technology. PE firms store an immense amount of investors’ personally identifiable information (PII) in the cloud, making them more susceptible to GDPR than your everyday business.
In an earlier post on our blog, we explored these five steps you can take to move towards compliance if you’re working with SaaS:
- Implement a data security strategy and ascertain where responsibility for security lies.
- Appoint a data privacy officer with a legal or IT background.
- Choose cloud providers who have privacy built in at their core, as well as providers who are aware of data privacy practices in all relevant countries.
- Be mindful of how your cloud provider is storing PII and how their data are moving around the world.
- Tier your data according to the level of confidentiality, and protect them accordingly.