In addition to prompting U.S. fund managers to add European Union General Data Protection Regulation (GDPR) compliant representations to agreements that touch E.U. employees or investors (and updating privacy policies and subscription agreements for E.U. investors), the GDPR, which took effect last month, applies to a fund manager's use of alternative internet data, such as credit card panel data, social media data, app usage data and location intelligence data.
Unlike the U.S. data law concern about "personally identifiable information," such as social security numbers, the GDPR's focus on "personal data" is broader and covers any data that can be reverse-engineered or combined with other accessible data to identify an individual. Fund managers may begin complying with this GDPR impact, by seeking assurances from vendors that they are not receiving data that constitutes personal data under GDPR, request that data supplied be anonymized and/or prepare a vendor on-boarding due diligence questionnaire to verify a vendor's internal GDPR compliance policies and procedures and insurance coverage in the event of a breach.
For more information see here.
This article was written with contributions from Nabeela Latif.