GDPR

The European Union General Data Protection Regulation (EU GDPR) will come into effect on May 25, 2018, replacing the 22-year-old EU Data Protection Directive.  At its core, the GDPR aims to put EU residents in control of their personal data. It regulates how their data is collected, processed, stored, deleted, transferred, and used. Any company (local and international) that does business in Europe or handles the personal data of EU residents should comply with the new rules.
 
Developing a plan to comply with the new rules it is critical for all organizations. Failure to do so could lead to unprecedented fines of up to 4% of annual global revenue or €20,000,000.  This amount is significantly higher than any penalties data protection authorities (DPAs), within individual EU countries, have the power to issue today.

As an international investment fund, how am I affected?

Does GDPR apply to my organization?  

As a non-European based company, what my exposure and risk?  

What does successful compliance look like? What changes will my organization have to make to internal processes and what technologies can we leverage to ensure that the personal data of EU residents are protected?

 

Tribe performs an assessment to answer these type of questions and show you where your exposures are, what your risk level is, and what needs to be done in order to achieve compliance.  It then can assist you in executing the plan to become compliant and ensure your adhering to standards on an ongoing basis.  

GDPR Assessment

GDPR is structured around the following principles:

  1. Lawfulness, Fairness, and Personal Data Transparency- with consumer consent and shifting data control back to the invidivual

  2. Data Collection and Processing- limiting scope of collection to minimum required and data processing to specific legitimate purposes

  3. Data Storage and Management- limiting storage for only as long as necessary for intended purpose and enabling individuals to correct or request deletion of their personal data

  4. Data Integrity and Security- ensuring data is secure and using encryption and rendering data anonymous where possible

Via its GDPR discovery program, Tribe performs an assessment focused on the core principles:

  • Discover current state of personal data processing within organization

  • Impact and Risk Analysis

  • Data Security Analysis

  • Readiness and Gap Assessment

  • Plan for Driving to Compliance

GDPR Transition to Compliance

Tribe works with you to take the necessary steps to become GDPR compliant by executing the plan formulated in the Assessment.

  • Execute GDPR plan from the Initial Assessment

  • Establish Operations and Processes around GDPR, including Breach notifications

  • Change Management

  • Training

CISO Periodic Privacy Internal Audits

Tribe’s CISO’s (chief information security officers) can work with you on an ongoing basis to periodically assess that your organization is staying compliant once GDPR has been implemented and that any updates to regulations are accounted for in your operations.  

GDPR and International Funds

Funds generally operate under the supervision of a Board of Directors and/or under the responsibility of a Management Company or General Partner. Almost all funds will appoint a range of service providers (e.g. Fund Administrator & Transfer Agent, Investment Manager, Distributor, Company Secretary, Prime Brokers, Compliance Groups).   Some example questions to consider are:
 
  • Funds and Fund Management Companies – Are they Data Controllers?
  • Relevant Data Subjects – as a data controller who are the relevant data subjects (i.e. investors in the fund, employees or persons authorized to act on behalf of legal persons who provide personal data)?
  • Who are the Data Processors?  Fund service provider entities such as administrators, paying agents and distributors are more likely to be data processors.
  • Administration/Distribution/Paying Agency Agreements - what do they say?
  • As a processor is there a clearly defined scope of activities? 
When considering the impact of GDPR on funds, Tribe works with funds to assess its specific obligations.

2017 Infinity Tribe