The E.U.’s General Data Protection Regulation (GDPR) represents the most significant development in E.U. privacy law in two decades and will capture the “processing” of “personal data” by any manager or fund domiciled in the E.U. The GDPR will also capture managers and funds located outside the E.U. that process the data of individuals located in the E.U. in connection with the offering of services to those individuals in the E.U. Because all investment management firms and funds will receive and process personal data in some way, shape or form in relation to their day-to-day business activities, it is vital for fund managers to be aware of the GDPR and its implications. In this two-part guest series, Oliver Robinson, associate director of the Alternative Investment Management Association
, breaks down the key provisions of the GDPR and how they may affect advisers and private funds. This first article reviews the driving forces behind the enactment of the GDPR, the territorial scope of the GDPR, the data-protection principles that apply when processing personal data, the legal bases pursuant to which in-scope firms may process personal data and the rules surrounding cross-border transfers of personal data. The second article
will discuss the rights of data subjects, minimum requirements applicable to processors, the role of a “Data Protection Officer,” cybersecurity measures required by the GDPR, the obligation to report breaches of the GDPR and parallel legislation introduced in the U.K. in light of Brexit. For more on the GDPR, see “A Fund Manager’s Roadmap to Big Data: Privacy Concerns, Third Parties and Drones (Part Three of Three)
” (Jan. 25, 2018).