The GDPR applies to all businesses that process personal data from European Union residents, even if the business is not incorporated in, does not have a physical presence in, and has no employees in the EU. Even the processing of a small amount of personal information, such as contact information, about even one EU person will result in your Firm being subject to the GDPR if the processing of the personal information relates to the offering of goods or services to such EU person or you are monitoring the behavior of EU data subjects (i.e. tracking individuals on the Internet to analyze or predict their personal preference).
Sanctions for failure to comply with the GDPR can be very high. They include fines of up to the greater of €20 million or 4% of a firm’s annual worldwide gross revenue. In addition, non-compliant businesses face the possibility of being audited or having to carry out specific remediation. Finally, a business that is found to have violated the GDPR may be the subject of an order prohibiting the business from receiving EU personal data.
If you are collecting personal information about EU residents in any way (i.e., through your website, if you have EU employees or individual contractors located in the EU, or if you are maintain contact information about EU residents such as the EU citizens in your fund(s) and perhaps EU citizens who may be associated with your portfolio companies), you should reach out to your legal counsel to assess your readiness for the many new obligations that the GDPR imposes on companies that process personal data from EU residents. To help our clients migrate these issues, we have developed an automated tool in partnership with a third party to help assess and address your GDPR readiness that we would be happy to discuss with you.