Alternative Investment Management Association (AIMA), the global representative of alternative investment managers, has published a GDPR Implementation Guide to help members understand and comply with new EU-wide rules that come into effect on 25 May.
The General Data Protection Regulation (GDPR), which replaces the EU Data Protection Directive, represents the biggest change in EU data privacy law in a generation. Due to the GDPR's extraterritorial scope, the guide is relevant to alternative investment managers whether they are based in the EU or elsewhere.
The new rules cover how organisations process personal data and extend to the activities of non-EU organisations that offer goods or services to people located in the EU. For alternative investment management firms and funds, this mainly relates to the processing and potential cross-border transfers of employee and investor data, but could also be relevant to fund investments and research that process personal data. The rules also apply to any personal data received from a third party that is stored or used for commercial purposes.
The AIMA Guide summarises the GDPR framework in the context of alternative investment management firms and funds and looks at how new rules differ from the existing Directive.
In particular, the guide examines key questions and compliance considerations for alternative investment management firms with regards to the: EU and extra-territorial scope of the rules; requirements for all controllers and processors; enhanced rights of data subjects; minimum cybersecurity measures; and breach detection, notification and sanctioning regime. To assist AIMA members with implementation, the association has also provided a check-list of actions firms should complete.
AIMA’s CEO Jack Inglis said: “Following the implementation of MiFID2, the GDPR is the next major regulatory challenge at the forefront of the industry’s mind. This Guide will help to inform members of their obligations and hopefully reassure them where certain misunderstandings may exist.”
Inglis added: “Whilst it is clear that minor, innocent breaches are unlikely to result in the greatly enhanced maximum penalties of 4% of global revenues, it is important that our members are able to demonstrate that they have a clear understanding of what personal data is in their possession, why it has been obtained and how it is used - including whether it is shared to any other group entities outside the EU – and that firms implement the necessary systems and processes to meet the GDPR requirements. I am grateful for the hard work of the AIMA team and working group that put this together for the benefit of our members.”
AIMA, Alternative Investment Management Association, GDPR, European Union, Investment managers