Europe’s GDPR May Affect Your Business and the Deadline is Approaching

Any organization that collects or processes personal data of European Union (EU) residents will need to comply with the new General Data Protection Regulation (Regulation (EU) 2016/1679) (“GDPR“), which goes into effect on May 25, 2018 and provides specific requirements on data privacy and data security.

GDPR was passed by the European Parliament and EU Council to create a harmonized data privacy law across member states of the EU. Its purpose is to support privacy as a fundamental human right and give EU residents control over how their personal data is processed or otherwise used. Personal data, as defined by the GDPR, includes any information that relates to an individual, such as names, email address, tax identification numbers and other personally identifying information, as well as technical information, such as IP addresses, cookie strings, social media posts, online contacts and mobile device IDs.

What actions do financial institutions have to take in order to comply with GDPR?

Financial institutions should conduct an audit of their sources of EU personal data which puts them in scope of GDPR, update data privacy and security policies and procedures, revise key contracts with service providers to require compliance with GDPR’s contractual requirements regarding data privacy and confidentiality, and update disclosure documents and investor onboarding documentation to meet disclosure and consent obligations imposed by GDPR. In addition, any firm processing personal data should assess key areas of risk, such as transfers of personal data to non-EU countries, activities which require consent of the data subject, the delegation of responsibilities in handling personal data, and the handling of personal data related to children. U.S.-based funds with EU investors should review their offering documents and regulatory filings, including Form ADV, to ensure proper disclosure of data breaches involving personal identification information.

GDPR provides two tiers of severity for violations of its regulations. A lower tier infraction may result in a maximum penalty of the greater of 10 million Euros or 2% of the worldwide annual revenue for the prior financial year. A more severe infraction penalty can be up to the greater of 20 million Euros or 4% of worldwide annual revenue for the prior financial year.

Key elements of GDPR:

  • Territorial scope.

GDPR covers the activities of any company processing the personal data of European Union data subjects, irrespective of whether such company is located in the EU or a non-EU country such as the United States.

  • Core Principles.

GDPR includes three core principles which guide its requirements: lawfulness, fairness and transparency. In order to be lawful, data processing must meet at least one of six criteria: (i) consent; (ii) contractual necessity; (iii) legal obligation; (iv) vital interests; (v) public interest; (vi) legitimate interests.

  • Bill of Rights.

GDPR includes a bill of rights for the data subjects whose personal data is processed by any person. These include the right to information on the scope of and procedures for handling personal data; the right to access, rectify and erase data; the right to port data to another processor; and the right to object to the processing of data.

  • The Controller and the Processor.

GDPR assigns responsibility for compliance with its provisions to a data controller and a data processor. All institutions should assess their business models and determine circumstances in which they may fall into either category, and understand how this role affects their legal responsibilities and contractual requirements.

  • Data Security and Protection.

GDPR imposes requirements as to maintaining security in processing, storing and transferring personal data, reporting breaches to regulators and the data subjects, and designating a data protection officer. After assessing the scope of their data processing activities, companies should determine how these requirements may affect their business policies and practices.

  • Cross-Border Data Transfers.

The European Commission and U.S. Department of Commerce designed the EU-U.S. Privacy Shield to determine whether an adequate level of protection exists for cross-border transfers and to simplify compliance with cross-border data protection requirements. Data protection compliance must be adhered from inception to delivery in the life cycle of a service or product.

  • Data Breach Notification.

Upon a breach, a company’s IT resources will need to analyze whether the exposure of data can cause a risk to the rights of EU data subjects. Notification to an EU regulator or supervising authority is required within 72 hours of a data breach, such as a large exposure of email addresses, medical or financial information or identifiers related to children.

If you have any questions about this Alert, please contact Daniel G. Viola at 212.573.8038, or Richard Shamos at 212.573.8027,

Click here to read additional information: REGULATION (EU) 2016/ 679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL