The General Data Protection Regulation is the latest piece of legislation affecting hedge fund managers to roll off the European Union’s production line. It comes into force on 25 May 2018, and represents a significant overhaul and expansion of the EU data protection regime. Most managers have already been getting to grips with the details, so this piece looks at some particular questions that have arisen for hedge fund managers.
The new world of data protection
GDPR was not written on a blank slate. It is closely based on the EU’s current legislation, the Data Protection Directive 1995 (implemented in the UK by the Data Protection Act 1998), and the most fundamental concepts – “processing”, “personal data”, “data controllers” and “data processors” – will be familiar to those who already know the current regime. GDPR also prescribes a largely unchanged set of conditions for the processing of personal data and a list of “data protection principles” that has only been slightly refreshed. Much of it feels very familiar.
The most noticeable changes under GDPR are an extension of territorial application (of which more below), more restrictive conditions for valid consent, more detailed disclosure requirements, and additional rights for individuals whose data is being processed.