AIMA releases guidelines for EU data compliance

Firms risk falling foul of tough new data laws that apply to anyone doing business in the EU.

The Alternative Investment Managers Association (AIMA) has released a guide for members to help them comply with a major change in EU data laws.

The General Data Protection Regulation (GDPR) intends to offer greater protection for EU citizens’ personal data and unify data regulation across the EU. It replaces the EU Data Protection Directive.

AIMA said the GDPR is one of the biggest changes in EU data privacy law for a generation and its extraterritorial scope makes it relevant to managers within the EU and outside of it.

Alternative investment managers will be mostly affected by rules on cross-border transfers of employee or investor data, though the rules will also apply to any personal data received from third parties that is stored or used for commercial purposes.

AIMA’s guide, which has been sponsored by Clifford Chance, looks at relevant questions and compliance considerations for alternative investment managers: looking at the EU and extra-territorial scope; requirements for data controllers and processors; the rights of data subjects; cybersecurity needs; and breach detection, notification and sanctioning.

Firms can also access a check-list of actions they will need to complete to ensure compliance with GDPR. Failure to comply could result in a maximum penalty of 4 percent of revenue. Other sanctions can include written warnings and enforced regular data protection audits.

Jack Inglis, CEO of AIMA, said: “Whilst it is clear that minor, innocent breaches are unlikely to result in the greatly enhanced maximum penalties of 4% of global revenues, it is important that our members are able to demonstrate that they have a clear understanding of what personal data is in their possession, why it has been obtained and how it is used – including whether it is shared to any other group entities outside the EU – and that firms implement the necessary systems and processes to meet the GDPR requirements.”