This article, which appeared in the FinOps Report, highlights the dangers for compliance and operations managers at US asset management firms if they have not already made substantial inroads into complying with the General Data Protection Regulation (GDPR), which went into effect on May 25. This includes having begun data mapping and amending their contracts with third-party service providers, such as fund administrators and transfer agents. Given that the GDPR's range of applicability is so extensive and ill-defined, US asset managers need to play it safe. Doron Goldstein, partner and co-head of Katten's Privacy, Data and Cybersecurity practice, said, "They can't take the chance that an investor or whistleblower will complain to a European regulator." This becomes even more critical when the penalties for violations of any of the GDPR rules can be significant—as much as the greater of €20 million or 4 percent of annual revenues.

When it comes to informing investors about GDPR, US asset managers will need to take a close look at all of their key disclosure documents, including websites, to determine whether they include a clear explanation of investor rights. "Given that subscription documents already contain a US data privacy notice," continued Doron, "it also may be beneficial to include a GDPR privacy notice where the subscription documents are to be used by European investors."

Read "GDPR: Final Call for US Asset Managers" in its entirety.