Even as the Trump Administration eases regulatory burden across all sectors of the national economy, our friends across the pond are laboring to fill the vacuum. Beginning May 25, 2018, all organizations, including hedge funds, must conform their data practices to meet the requirements of the General Data Protection Act (GDPR).
This European Union creation governs the manner in which hedge and other private funds manage the Personally Identifiable Information (PII) any individual investor where that fund is administered and/or processed inside the European Union, regardless of domicile. The act also imposes rules regarding the disclosure of any and all data breaches.
What that Means for Hedge Funds
Europe’s GDPR is not the first regulatory volley fired against the hedge fund industry. MiFID II, scheduled to take effect in January, was the first. While both MiFID II and GDPR have the interests of European investors at heart, the global nature of markets and investment are such that non-compliance is a poor option. As a result, the hedge fund industry must be prepared to comply with GDPR by May 25, 2018.
As this is being written, Facebook’s CEO, Mark Zuckerburg, is being grilled in a privacy hearing of the European Union’s parliament, yet another example of the global reach laws passed in far flung capitals have on sovereign nations. To be sure, the United States government has implemented its fair share of legislation that has had implications reaching beyond its borders. For better or worse, this is the world in which we live.
As with MiFID II, small to medium sized hedge funds will be the hardest hit by the costs of implementation. Small to medium-sized funds cannot compete with large funds whose management fee income is limited by the size of their assets.
Make no mistake, the EU will vigorously enforce GDPR, as data privacy is viewed as a fundamental human right. Therefore, infractions will be taken very seriously and penalties can be as high as 4 percent of global revenues or 20 million Euros, whichever is higher.
On the plus side, PII is certain to be a subject of concern for U.S. Lawmakers and compliance with EU regulations may be sufficient to comply with any laws our government may promulgate on the issue. At worst, compliance with EU regulations should place hedge funds well along the path to compliance with any future U.S. regulation on data privacy.
How to Prepare
- Review all data processing activity
- Identify all data processing activities for which it is a controller, ensuring that it all responsibilities are understood
- Implement organizational and technical measures that ensure GDPR compliance
- Ensure appropriate processes and templates are implemented to identify data breaches and as necessary, report said breaches
Final Thoughts
GDPR ushers in a sea-change with respect to individual investors’ rights with respect to their PII and greatly increases the responsibilities and accountability of Controllers and Processors in the hedge fund industry. The legislation is geared toward helping hedge and other private funds mitigate data breach risks. Considering the fact that the average data breach can cost $3.62 million, compliance with GDPR can result in savings that offset the cost of compliance…more that can be said of MiFID II.