From May 25, 2018, all organizations – including hedge and private equity funds – will need to align their data practices with the General Data Protection Regulation (GDPR). The GDPR governs how private funds manage the Personally Identifiable Information (PII) of any individual investor where that fund is administered (processed) within the EU, irrespective of domicile, and imposes new rules on disclosure of any data breaches.

GDPR compliance brings a transformational shift that grants individual investors more rights over their PII and increases the accountability of the data Controllers and Processors of private funds.

Overall, GDPR is complex but not an overwhelming legislation. It aims to help private funds more effectively manage PII in order to mitigate the risks of data breaches. The average cost of a data breach is $3.62 million and it is therefore prudent for any private fund to maintain sound data protection practices.


Although there are many significant, unanswered questions about GDPR compliance within complex multinational businesses, the GDPR compliance requirements for private funds are clear. If your private fund is currently (or intends to be) serviced within the EU and has individual investors, it must comply with GDPR requirements.

The good news is that GDPR harmonization for private funds should mean simply codifying preexisting data practices as investors (and regulators) have long expected private funds to maintain the same robust compliance culture now being promulgated by the GDPR. Harmonization should therefore have a minimal impact.

Other good news is that the typical private fund structure should not need to meet the now-dreaded Data Protection Officer (DPO) requirement that can be perplexing for global businesses.

The unwelcome news is that GDPR does meaningfully increase the regulatory risk of private funds. Data privacy within the EU is viewed as a fundamental human right so private funds should expect EU Data Protection Authorities (DPAs) to take infractions very seriously and expect them to zealously enforce GDPR compliance.


First, identify and determine who is acting as the Controller (an entity such as a private fund) and the Processor (a third-party contractor such as a fund administrator) of the data and identify their respective core activities under the GDPR requirements.

If your private fund is deemed a Controller (or joint controller) and is established outside the EU, the private fund must designate an EU Appointed Representative (EAR), resident in a EU Member State, with expertise in EU data protection laws commensurate with the sensitivity, complexity and amount of data processed by the fund, to maintain compliance with the GDPR legislation.


Private funds that fail to comply with the GDPR could face penalties as high as 4% of its global revenues or €20 million, whichever is higher. Fines can be applied to both the Controller and the Processor. EARs are also subject to enforcement actions by DPAs in the event of noncompliance.


Each private fund that acts as a Controller should:

  • review all its data processing activities in preparation for GDPR implementation;
  • identify the data processing activities for which it is a Controller, and ensure that it understands its responsibilities as a Controller;
  • ensure that, in respect of each processing activity for which it is a Controller, it has implemented appropriate technical and organizational measures to ensure compliance with the GDPR; and
  • ensure that it has appropriate processes and templates in place for identifying, reviewing and (to the extent required) promptly reporting data breaches


Successfully navigating the GDPR involves establishing and maintaining effective data governance processes, including the appointment of qualified data governance professionals to act as EARs within the EU.

DMS has highly qualified GDPR experts, resident across its three EU offices providing high-quality and cost-effective data governance services, including serving as EARs. Please contact any DMS GDPR team leader below or your usual DMS professional to assist you in evaluating your service options.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.