AIMA GDPR Implementation Guide
January 2018 – Executive Summary
29 January 2018
Clifford Chance recently held a a breakfast panel event to mark the launch of the Alternative Investment Management Association's - ‘AIMA GDPR Implementation Guide’. The Guide is now available to AIMA members. The Executive Summary is republished with AIMA permission below
The EU General Data Protection Regulation (GDPR) was published in May 2016 and will become effective on 25 May 2018, replacing the EU Data Protection Directive (the Directive), which was drafted in the mid-1990s.
The GDPR rules apply to all organisations that deal in any way with the personal data of natural persons, as either ‘controllers’ or ‘processors’. All ‘processing’ of personal data must have a clear purpose and legal basis, and be compliant with the relevant principles and standards of the GDPR framework.
The GDPR builds upon the data protection regime contained within the Directive, and includes many enhancements:
- Territorial scope – increased territorial scope to include any non-EU organisation that processes the personal information of persons located in the EU and that offers services to or monitors persons located in the EU, as well as all EU established organisations;
- Data protection principles – strengthened principles for the processing of personal data, in particular by enhancing the accountability for and transparency of personal data processing, and requiring firms to embed data protection into all commercial processes by design and by default;
- Consent as a legal basis – greater difficulty to obtain and maintain consent as the legal basis for personal data processing, in particular it is far easier for data subjects to withdraw under the GDPR;
- Rights of data subjects – enhanced data subjects rights in relation to their personal data, including the right of access to data, the right to be forgotten, right to restrict processing, and right to object;
- Obligations for processors – new obligations and liability for processors, as well as the requirement for controllers to obtain guarantees of compliance with the GDPR from any third-party processors used;
- Data protection officers – the GDPR introduces an obligation for firms that regularly and systematically monitor data subjects, or process ‘Sensitive Personal Data’ on a large scale, to appoint a ‘Data Protection Officer’ (DPO) compliant with the requirements of the GDPR; and
- Supervision, breaches and sanctions – greater oversight and sanctioning powers for supervisory authorities, and a requirement for controllers to notify material breaches to supervisors within 72 hours of detection and to data subjects if the breaches pose a high risk to them. Sanctions are greatly enhanced, with the possibility of administrative fines of up to 4% of global group turnover
The AIMA GDPR Implementation Guide was published by AIMA in January 2018 to provide greater clarity for members in their preparation for the go-live of GDPR.
The Implementation Guide contains a:
- Background to the GDPR and a summary of the key rules relevant to alternative investment management – including where these rules have changed from the Directive;
- Series of key questions and compliance considerations for AIMA member firms – highlighting the issues firms should consider when implementing the GDPR and the questions that should be asked internally;
- Set of tick-box compliance checklists – for alternative investment management firms covering general processes and scope mapping exercises, as well as the review of contracts and internal policies.
Electronic copies of the full AIMA GDPR Implementation Guide (January 2018) are available to AIMA member contacts via the AIMA website (www.aima.org). Electronic copies are subject to a limited licence and are reserved for the use of AIMA members only. For further details on AIMA membership, please contact Fiona Treble (firstname.lastname@example.org). For questions related to the content of the Implementation Guide, please contact Oliver Robinson (email@example.com).
Click on the download button to view a PDF copy of the Executive Summary and the Guide's Table of Contents.