The European Union’s Global Data Protection Regulation (GDPR) is something that all venture firms with any connectivity to EU persons should be paying attention to. The GDPR becomes effective May 25, 2018. The GDPR imposes numerous requirements on businesses within its scope, including strengthening the requirements that businesses obtain the consent of EU persons as to the processing of their data; mandatory notification of data breaches to data protection authorities and, in some cases, to the underlying persons; and the creation of new rights for EU persons, including the right to request that businesses delete or remove the personal data when there is no longer a compelling reason for its continued processing (i.e., the “right to erasure”). Businesses that are subject to GDPR must also have a GDPR-compliant privacy policy.
The GDPR applies to all businesses that process personal data from European Union residents, even if the business is not incorporated in, does not have a physical presence in, and has no employees in the EU. Even the processing of a small amount of personal information, such as contact information, about even one EU person will result in your Firm being subject to the GDPR if the processing of the personal information relates to the offering of goods or services to such EU person or you are monitoring the behavior of EU data subjects (i.e. tracking individuals on the Internet to analyze or predict their personal preference).
Sanctions for failure to comply with the GDPR can be very high. They include fines of up to the greater of €20 million or 4% of a firm’s annual worldwide gross revenue. In addition, non-compliant businesses face the possibility of being audited or having to carry out specific remediation. Finally, a business that is found to have violated the GDPR may be the subject of an order prohibiting the business from receiving EU personal data.
If you are collecting personal information about EU residents in any way (i.e., through your website, if you have EU employees or individual contractors located in the EU, or if you are maintain contact information about EU residents such as the EU citizens in your fund(s) and perhaps EU citizens who may be associated with your portfolio companies), you should reach out to your legal counsel to assess your readiness for the many new obligations that the GDPR imposes on companies that process personal data from EU residents. To help our clients migrate these issues, we have developed an automated tool in partnership with a third party to help assess and address your GDPR readiness that we would be happy to discuss with you.
The authors
