What is the GDPR?
Even if an investment adviser or its private funds have no presence in the European Union (EU), it may still need to be concerned about EU data protection laws, in particular the new European General Data Protection Regulation (EU) 2016/679 (the “GDPR”). The GDPR came into force on May 25, 2018, and replaced the prior data protection law, the EU Directive 95/46/EC. The GDPR introduces significant changes from the prior EU Directive, including new jurisdictional scope that makes the GDPR apply not only to businesses established in the EU but also to any non-EU businesses that offer goods or services to individuals within the EU or that monitor individuals in the EU. This means that investment advisers and funds with investors in the EU may potentially be subject to the GDPR, which is significant because of the other changes brought about by the GDPR, including a maximum fine for non-compliance of the higher of 4 percent of an enterprise’s worldwide turnover or €20 million per infringement, a 72-hour data breach notification requirement and new data subject rights (including the “right to be forgotten”). (For more information about these changes, please see our website page on the GDPR.)