EU's Privacy Regulation Still a Work in Progress for Asset Managers

EU’s Privacy Regulation Still a Work in Progress for Asset Managers
Using third-party service providers adds to the complexity

August 2018, London. While asset management firms and investment funds have done much to comply with the European Union’s General Data Protection Regulation (GDPR), which took effect in May this year, more still needs to be done, according to the latest The Cerulli Edge―Global Edition.

For asset managers, the implications of GDPR are complicated by the tendency of the industry to work with third-party suppliers of services, says Cerulli Associates, a global research and consulting firm.

André Schnurrenberger, Cerulli’s Europe managing director, notes that all firms have, or will have to implement, a governance framework to facilitate the ongoing monitoring of compliance with the regulations, and the management of privacy risk across the business. This will mean ongoing costs and effort.

“Implementation of GDPR will remain a key issue for the boards of investment funds, management companies, and third-party service providers,” says Schnurrenberger. “Investment spending will be concentrated in two key areas: regulation of technology solutions, as organizations seek to reduce the cost of compliance with GDPR; and data analytics, as organizations seek to gain a competitive edge.”


Analysis of existing and potential clients will not only use the personal data that is available, but also information from alternative sources such as social media. Organizations that seek to capitalize on this opportunity will have to decide if the gathering, processing, and analysis of the data is legal, ethical, and fully compliant with GDPR, says Cerulli. “Investment funds and asset management companies are data controllers and, in the case of the latter, probably data processors as well for the purposes of GDPR,” says Schnurrenberger.

Cerulli says that as of mid-2018 it appears that the significant costs of preparing for and implementing GDPR have been absorbed by the investment funds, the management companies, and the data processors with which they work.

“The new regime has increased operating costs for most organizations, but to date there has been little impact on investor clients. The corollary of this is that financial services companies have a strong incentive to look for fintech, specifically regtech solutions, that will reduce the costs of compliance with GDPR,” says Schnurrenberger.

He expects that by mid-2019, the medium-to-long-term implications of GDPR will be far clearer. “In the interim, organizations doing business in the EU will need to continue investing, procedures, systems, and technology, even if the apparent risks of privacy breaches are low,” he concludes.

Looking for more information? Contact Us.