While the business of an alternative investment fund manager will not involve the systematic processing of natural persons’ data, all investment management firms and funds will receive and process personal data in some way, shape or form in relation to their day-to-day business activities, thereby subjecting them to the most significant development in E.U. privacy law in two decades. This two-part guest article series breaks down the key provisions of the GDPR and how they may affect advisers and private funds. This first part reviews the driving forces behind the enactment of the GDPR, the territorial scope of the GDPR, the data-protection principles that apply when processing personal data, the legal bases pursuant to which in-scope firms may process personal data and the rules surrounding cross-border transfers of personal data. The second article
will discuss the rights of data subjects, minimum requirements applicable to processors, the role of a DPO, cybersecurity measures required by the GDPR, the obligation to report breaches of the GDPR and parallel legislation introduced in the U.K. in light of Brexit. See also our two-part interview with the Irish Data Commissioner: “Supervising Facebook
” (April. 25, 2018); and “GDPR Enforcement Priorities
” (May 2, 2018).