Most European private equity firms and their portfolio companies will be well aware that May 2018 heralds the most significant shake-up in data protection law across the EU for 20 years. And given the huge amount of “personal data” (that is, data that relates to identifiable individuals) now held by just about every sizeable business, that is a very big deal.
While private equity firms themselves will mostly hold data about employees and investors, information about customers – and lists of potential customers – probably raise the biggest issues for investee companies. With very substantial fines, potential civil liability, and the prospect of serious reputational damage for companies that are not ready, now is a good time to review progress – both within the fund manager, and across the portfolio. In particular, portfolio company nominated directors should be asking searching questions of their management teams, and data protection should be high on the due diligence list for potential targets.
For most businesses, the obvious starting point is a “gap analysis”, looking particularly at the personal data they hold, the content of privacy notices, the procedures for obtaining consent from those whose data is held, contracts with third party data processors, and staff training and awareness. Firms will also need to develop – or, more likely, review and update – their cyber-security incident response plan to ensure that it complies with the new rules dealing with data breaches. Portfolio companies that engage in “regular and systematic” monitoring of individuals in the EU, or large-scale processing of their “sensitive” data, will have to appoint a Data Protection Officer reporting to the most senior level of management.
But, unfortunately, compliance with the new rules – known as the GDPR, or General Data Protection Regulation – is not straightforward, and there are several traps to watch for.
First, the new rules are not just an issue for businesses that are located in Europe. The extra-territorial effect of the rules means that many businesses outside the EU, who might never have heard of the GDPR, may nevertheless be caught by it. That will be the case if they process data of EU-based individuals in connection with the offering of goods or services to them, or if they “monitor the behaviour” of EU nationals. As well as complying with the rules themselves, these companies will also have to appoint an EU representative.
Second, the process for obtaining consent from individuals to process their data will be tougher, meaning that new consents may need to be obtained for existing contacts and customers. That may well result in many people whose data is currently held refusing to provide a fresh consent, or not responding to a request to do so, restricting the ability of the business to conduct its normal activities. That could be a very serious commercial issue, and will need to be handled with extreme care – not least because, if the existing consents are inadequate, a business may not even be legally able to contact customers to ask for a new consent.
Third, the new rules will require data privacy notices to include more detail, but must also be “concise and intelligible”. That may seem like an impossible task, given the length and readability of some existing privacy notices, and will require some high-level judgements to be taken.
Fourth, although the GDPR does not require the appointment of a data protection officer (DPO) for all businesses, it may seem like an obvious way to assist a company with its GDPR compliance. However, giving an employee that title may itself create some additional obligations, and gives rise to protections for the individual which might be unintended. Careful consideration of the roles and responsibilities of employees will be important, but appointing a DPO may not always be the right answer (although in some businesses, and in some countries, it will be unavoidable).
Fifth, data protection rules in Europe currently differ significantly from country to country, even though they were the subject of a previous European Directive in 1995, creating a headache for cross-border businesses. The GDPR, because it is directly effective in all EU member states from May 2018, will mitigate that problem somewhat; but businesses should be aware that some significant differences will remain, and there is also some scope for confusion over the rights of different national supervisory authorities to enforce the rules. As usual in the EU, the road to harmonisation is a long one.
And finally, data protection also needs to appear on the list of matters to worry about following the UK’s decision to leave the EU. At the moment, and until the UK leaves, it is quite straightforward to transfer data from the UK to other EU countries and vice-versa. Whether that remains the case after Brexit will depend upon the provisions agreed as part of the exit process.
All in all, there is a lot for most European (and many non-European) businesses to do in the coming ten months, and any gap analysis will most likely reveal the extent of the effort required. Those who have not yet started to get ready, would be well-advised to use the summer break to good effect.
More information on the practical steps to be adopted by private equity firms preparing for the GDPR is available here.