In a continuing effort to inform the fund management industry of the impending challenges of the General Data Protection Regulations (GDPR), GoBuyside would like to outline some of the new rights of data subjects under the GDPR. GoBuyside is a 21st century recruitment platform that connects private equity firms, hedge funds, alternative investment managers, advisory platforms, and Fortune 500 companies with top talent from around the world. By understanding the rights of data subjects, intuitive data protection procedures can be crafted to ensure GDPR compliance.
Our client is a multi-billion dollar secondaries and co-investment platform headquartered in New York City. The platformis currently investing out of a $2B vehicle raised within the last year. If interested in learning more, please email firstname.lastname@example.org
— GoBuyside (@gobuyside) January 29, 2018
Under the GDPR, any information relating to a natural person or “data subjects” such as names, photos, email addresses, social networking post, medical information, IP addresses, or bank information should be protected by data controllers and data processors. But which protections are required will be determined by the rights created by the regulation. For example, data breaches will require notification to data subjects when breaches are likely to “result in a risk for the rights and freedoms of individuals”. Data controllers must give notification within 72 hours of discovering the breach, while data processors will be required to notify their customers and controllers “without undue delay.”
One of the most significant additions to individual’s data rights under the GDPR is that data subjects will now have a right to access the information that a data controller is processing about them. Upon request, data controllers must reveal where and for what purpose information about the data subject is being processed. This level of transparency is globally unmatched and will drastically affect the way organizations process information.
Another recent development of data subject’s rights outlined in the GDPR is the individual’s right to be forgotten. Otherwise referred to as data erasure, a natural person’s right to be forgotten includes the ability to force a data controller to erase his or her personal information, stop dissemination of the data, and possibly have third parties stop processing of the data. When data is no longer relevant to the original purposes of processing or the data subject withdrawals his or her consent, the data controller will have to erase the information. This right to be forgotten mandates that controllers balance the rights of the subjects with the “public interest in the availability of the data” when considering such erasure request.
Privacy by design and default is not necessarily a new concept but one that is being codified by the GDPR. A GoBuyside analyst recently described the “design” element of the bill requiring controllers to implement appropriate technical measures, organization procedures and mechanisms that, “by default”, ensure the data can only be processed in accordance with the GDPR. This design and default requirement forces controllers to adhere to data minimalism. Such data minimalism requires controllers to process and hold only the data that is necessary for the completion of its obligations. Further, controllers will have to limit access to personal data to those needing it to complete processing.
Like privacy by design and default, the use of Data Protection Officers or DPO’s is not new to data controllers and processors. Presently, controllers are required to notify local data processing authorities of data processing activities. Under the GDPR, such disclosures to DPA’s will be limited and transferred to internal record keeping requirements. DPO appointments will only be mandatory for processors and controllers whose primary activities consist of operations which require regular and systematic monitoring of data subjects on a large scale or special categories of data. DPO’s can be staff members or external service providers as long as they are appointed for their expert knowledge of data protection laws and practices. DPO’s must now report directly to the highest level of management and must be provided with the resources necessary to carry out their tasks.
GoBuyside is committed to supporting its clients in the fund management industry through this transition period by providing world-renowned talent capable of bringing any organization up to speed with the GDPR. Using cutting edge search parameters, GoBuyside systematically identifies and screens professionals to meet the needs of their clients. GoBuyside has successfully disrupted the traditional search model and is poised to serve all of your human capital needs.