After being applied to all member states in the EU in May 2018, the General Data Protection Regulation (GDPR) has exerted a profound impact on private equity and venture capital firms worldwide. The law extends to investment management firms with a presence in the EU as well as PE and VC firms outside the EU that run intentional and systematic marketing to EU-based investors or otherwise process personal data of EU residents. The GDPR imposes stringent requirements on the collection, processing and disclosure of personal data, accompanied by severe fines of up to 4% of worldwide turnover or up to EURO 20 million.
In practice, multinational private equity and venture capital firms having operations related to the EU manage a considerable pool of data related to their employees, investors and borrowers as well as founders and management for the portfolio companies. Having to collect, process and disclose this vast number of datasets related to EU residents, PE and VC firms need to ensure strict compliance with GDPR for themselves and run due diligence on compliance by their portfolio companies. Below, we discuss the key requirements set by the EU's General Data Protection Regulation for private equity and venture capital firms and practical strategies to ensure multi-jurisdictional compliance.
The GDPR outlines core principles that must be followed by all types of businesses collecting personal data of EU residents, which are fully applicable to private equity and venture capital firms.
The GDPR requires personal data to be processed lawfully, fairly and in a transparent manner. These requirements include obtaining consent from individuals whose data is processed and ceasing processing data if receiving an objection.
Meanwhile, the "fairness" requirement is extensive and includes an obligation to inform individuals about the purposes of the processing, the recipients of data, their data privacy rights and the identity of the data controller.
This principle requires processing data for legitimate purposes that were declared to an individual whose data is processed. If the firm intends to use personal data for a new purpose, it needs to obtain additional consent from a respective individual.
The GDPR limits the collection and processing of personal data to specific purposes declared by the firm. According to the law, no private equity or venture capital firms can collect personal data "for potential future uses" or "just in case."
When collecting data on private individuals, private equity and venture capital firms need to make sure the data are accurate at all times. This implies a requirement to implement regular updates of personal information on a periodic basis. Meanwhile, inaccurate data need to be either rectified or erased.
An investment management firm can store personal data for no longer than it is necessary to achieve the purposes declared to individuals at the time of collecting their data. The only exception to this rule in the GDPR extends to cases where personal data are stored for a longer period for archiving for public, scientific, historical or statistical purposes. That said, these purposes are rarely relevant to PE and VC firms in most cases.
According to the GDPR, firms processing personal data need to ensure data safety and security and protection from unauthorized or unlawful processing, accidental loss, destruction or damage. Additionally, the law sets a tight 72-hour time window when the firm needs to notify a supervisory authority of any breach.
Last but not least, the GDPR requires PE and VC firms to implement "appropriate technical and organizational measures" and to "ensure and to be able to demonstrate" that they process personal data according to the law. This requirement has far-reaching implications for affected businesses, which include:
Multinational private equity and venture capital firms with considerable portfolios having ties to the EU can manage thousands of data points on EU residents related to their backed companies, including:
The principles outlined in the GDPR require PE and VC firms to keep these data accurate and regularly updated, stored in secure storage protected from unauthorized use, limit information scope to what is necessary and erase inaccurate or unnecessary information. Importantly, when a PE or VC firm collects these data, it must seek the consent of respective individuals and inform such individuals about the purpose of their data collection and storage.
To this end, investment management firms need to implement a single source of truth (SSOT) for personal data that is reliably protected from breaches. This central database should allow for setting restricted access to data for various stakeholders according to the purpose it was collected and limiting the period the data is stored to what is necessary, for example, erasing data when someone leaves a backed company.
Effective processing of such vast volumes of data is only possible when firms are assisted by modern technology, providing central and secure storage of data and setting limited access to various stakeholders. The compliance teams will further benefit from automatic processes, for example, prompting to update or erase data to keep it accurate and limit its storage to what is necessary.
Multinational private equity and venture capital firms process an ever-increasing volume of personal data related to their businesses and portfolio companies worldwide, including the EU. Having to ensure compliance with GDPR is a massive task that requires a comprehensive agenda, including setting relevant policies and procedures, conducting privacy impact assessment, revisiting existing controls and running ongoing due diligence on portfolio companies.
Investment management companies need modern software like Athennian to provide for due diligence automation and to ensure multi-jurisdictional compliance. For more information, please do not hesitate to contact the Athennian team for a free consultation and scheduling a free demo.