Roughly 100 days remain before the General Data Protection Regulation (GDPR) takes effect on May 25, 2018. If you are unfamiliar with the new regulations, or are under the belief that the regulations do not affect your company’s operations, you better be sure to understand them. Non-compliance with GDPR can result in €20 Million fines or 4% of the annual global turnover of non-compliant GDPR organizations. Further, one of the biggest changes resulting from the GDPR is its expanded territorial scope. If you are unsure about the applicability of the GDPR to your organization, there is no time like the present to learn about these regulations.
To ensure our clients’ awareness of the EU’s recent efforts to protect the privacy of its citizens, this article covers the basics of the GDPR. GoBuyside is committed to supporting its clients in the fund management industry through this transition period by providing world-renowned talent capable of bringing any organization up to speed with the GDPR.
In 1995, the EU adopted the Data Protection Directive, which was the legal precursor to the GDPR. Aware that numerous EU nations were setting varying data protection standards, the European Commission decided to standardize and streamline the protection of data for its citizens. The directive was focused on protecting the individual and required his or her consent when companies collected, stored, and shared personal data. Similarly, the goal of the GDPR is to shield EU citizens from privacy and data breaches in a progressively data-driven environment that has drastically evolved since the 1995 directive was created.
Base salaries and bonus payments for private equity and venture capital professionals have been rising steadily since 2014, averaging 6-8% increase for each consecutive year.https://t.co/CGKq9ISM9n
— GoBuyside (@gobuyside) February 6, 2018
While the Data Protection Directive was not legally binding for member nations, it succeeded in setting the gold standard in personal data protections. The GDPR has been described as the data protection directive on steroids, as the ramifications of non-compliance were ramped up and certain ambiguities in the ladder were resolved by the GDPR. As a regulation, the GDPR is legally binding for every member state, unlike its directive predecessor.
READ MORE: Stock Market
Just as the flow of personal data can hardly be confined to geopolitical boundaries, the GDPR will also regulate activity outside of EU nations. Organizations located outside of the EU that offer goods or services to monitor the behavior of EU citizens will be subject to GDPR’s jurisdiction. The regulations will apply to all companies processing and holding the “personal data” of citizens living in the EU, regardless of the company’s physical location. Personal data is defined under the GDPR as any information related to a natural person that can directly or indirectly identify that person. Such data includes names, photos, email addresses, social networking posts, medical information, IP addresses, or bank information.
The GDPR regulates processors and controllers of personal data differently. A controller is an organization that determines the purposes, conditions, and means of processing of personal data, whereas the processor is an organization that processes personal data for the controller. Cloud service providers are considered processors and are not exempt from GDPR enforcement. According to GoBuyside analysts, “investment fund companies, management firms, AIFMs, distributors, fund administrators and depositaries will each need to consider the extent to which they control or process personal data, whether relating to investors or their respective officers and employees and ensure in each case they can operate in compliance with the upcoming legislation.”
One of the more prominent changes brought on by the GDPR is the alteration of consent requirements. By bolstering the conditions of consent, the GDPR ensures that companies will not be able to hide behind lengthy user agreements full of boilerplate language and legalese. Under the GDPR, consent must be given for the express purpose of data processing and must be distinguishable from other agreements. Only clear and plain language consent agreements will meet such requirements. Further, the ability of an individual to withdraw his or her consent must be as easy as giving their consent.
As the fund management industry gears up for the GDPR transition, we at GoBuyside are ready to equip your organization with the personnel to meet all your data protection needs and requirements. Be sure to check back with GoBuyside for further articles on the GDPR transition.
GoBuyside is a 21st-century recruitment platform that connects private equity firms, hedge funds, alternative investment managers, advisory platforms, and Fortune 500 companies with top talent from around the world. Using nuanced search parameters, GoBuyside systematically identifies and screens professionals to meet the needs of their clients. Over 500 satisfied clients have utilized GoBuyside’s talent network which encompasses over 10,000 firms and 500 cities across the globe. GoBuyside has successfully disrupted the traditional search model and is poised to serve all your human capital needs.
Learn more about GoBuyside by following them on Facebook.