U.S. Advisers Getting Serious About Fast-Approaching GDPR Deadline

For over a year, May 25, 2018 has been circled on the calendars of many chief compliance officers and chief technology officers at U.S.-based investment advisers and asset managers with a European presence or European investors. For others, the quickly approaching date may be coming as a surprise as they grapple with how to tackle yet another broad regulation with significant financial consequences.

We’re talking, of course, about the General Data Protection Regulation (GDPR), the EU’s sweeping data privacy regulation approved in April 2016 by the EU Parliament and set to take effect on May 25. GDPR is the EU’s effort to bolster the privacy protections available to EU residents to control how their personal data is gathered, processed, stored, and if they so desire, deleted, as well as to impose stricter reporting requirements relating to the breach of such information. The prior EU data privacy regulation, adopted in 1995, had become obsolete in the age of Facebook, Google, and the Internet in general.

While GDPR is not a financial regulation, it has the potential to profoundly impact the operations of financial firms, and asset managers in the U.S. should be cautious in casually dismissing GDPR as an EU-only rule with no domestic implications. The complexities of compliance with the regulation are driving efforts among advisers everywhere to understand who has access to what data, where personal data resides on their systems, and what the downstream data flows are to interconnected systems, vendors, and departments.

Firms should first assess whether GDPR is, or is likely to be, applicable to their business. The answer is likely to be “YES” if:

  • The firm has a presence in the EU, and collects or processes personal data about an EU resident in the context of its business activities (as opposed to personal, non-economic reasons), or
  • The firm, regardless of where it is located, processes personal data about an EU resident as part of the marketing of goods or services, or monitors such EU resident (which can include the use of cookies and similar tracking)

There are some exceptions to the above. For example, firms with fewer than 250 employees are not required to maintain certain transactional records under GDPR.

Personal data is defined broadly to include everything from an individual’s name and ID numbers to his or her IP address, Internet cookies, genetic information, ethnicity, sexual orientation, and even political opinions.

While GDPR compliance is going to be a significant undertaking, given that its various requirements are set forth in 91 different articles of legislation, there are a few key points to keep in mind for firms subject to GDPR:

  • “Data subjects” (i.e. the EU residents whose personal data we’re talking about) have a “right of portability” of their data to another service provider and a “right to be forgotten” or “right to erasure” (e.g. to have their data deleted, unless the data is required to be maintained for regulatory recordkeeping purposes)
  • Firms must establish reasonable safeguards to protect data of data subjects from compromise or loss. Such safeguards include the use of encryption and anonymization/pseudonymization of personal data. Anonymized data is data from which the data subject is not identifiable at all, whereas pseudonymized data is data from which the data subject is not identifiable without the use of additional information.
  • Firms must conduct Data Protection Impact Assessments (e.g. risk assessments)
  • Data breaches are required to be reported to Supervising Authorities (SAs) within 72 hours of becoming aware of the breach, including details of the breach and an estimate of how many records were impacted
  • Firms must address disclosure requirements involving informed consent as to the reason data is collected and used.
  • Noncompliance with GDPR requirements carries a stiff penalty, which can be up to 4% of the firm’s global annual revenue.

The clock is ticking, with less than 120 days until the May deadline. Compliance with GDPR will require a combination of technology, systems, processes and people.


Ascendant can help evaluate your cybersecurity program, perform cybersecurity testing, and offers a secure cloud-based compliance software suite – Ascendant Compliance Manager – that can be used to manage GDPR across the entire enterprise, including:

  • Mapping and categorizing personal data across systems and applications;
  • Conducting third party due diligence;
  • Managing GDPR risks and controls; and
  • Distributing updated policies and training to employees.

For more information, or for a demo of ACM, please contact us at info@ascendantcompliance.com or call us at 860-435-2255.

Related Content

Latest Content

Custody Concerns Continue

You timely filed your Form ADV within 90 days of fiscal year end, but did you properly answer all the questions related to custody? Not surprisingly, the Form remains confusing for many advisers, as does application of the Custody Rule itself. The SEC has issued guidance, letters to the industry, alerts and FAQs, but things … Continued

Blockchain Isn’t Hot Sauce

Guest post by Samson Williams, Partner – Axes & Eggs and Keynote Speaker – Ascendant CSS Spring 2019 Conference  I started telling people that blockchain isn’t hot sauce in mid-2017 to help explain why initial coin offerings (ICOs) were just the latest form of unregulated, online gambling. In November 2017, with Bitcoin nearing a high … Continued

The Importance of Effective ADV Disclosure: Staying Ahead of the Regulators

This ComplianceCast will discuss how firms can mitigate risk by having effective disclosure in their Form ADV Brochure. Our panelists will be CSS Ascendant Senior Consultant Ariana Monchick and Jessica Matelis, Partner at Foley & Lardner and former Senior Counsel at the SEC Division of Enforcement. They will discuss: Required disclosures The types of conflicts … Continued

Regulation Best Interest, Cybersecurity Top Concerns at IAA 2019 Compliance Conference

The Investment Adviser Association (IAA) represents the interests of investment advisers in Washington D.C., and the IAA Investment Adviser Compliance Conference 2019 was a forum for the discussion of future potential rulemaking. Cybersecurity and Fiduciary Rule considerations were headline topics, with custody and marketing right behind. The following is a summary of key issues discussed … Continued

The Challenges of Building a Global Compliance Program

Compliance programs face challenges in balancing global requirements with local exceptions while incorporating the fast pace of regulatory change, addressing critical business needs and obtaining the necessary resources necessary to manage the program. Trends and thinking on the subject were center stage at the recent CSS London event “Looking at the Year Ahead – Global … Continued

Mailing List

Subscribe to the Ascendant Compliance email list for the latest compliance resources, conferences, ComplianceCasts™, and more.

Loading form...

Contact Us

Ascendant works together with clients to identify and assess critical needs through customized plans. If you need assistance with compliance functions, regulatory services, cybersecurity or technology tools, we’d love to speak with you.