The ever rising frequency of cyber attacks means alternative investment management firms tend to adopt a philosophy of when, rather than if, they will become a target. There is no shortage of incentives to get this right. But from 25 May, another will emerge: under the EU’s new General Data Protection Regulation (GDPR), any firm found to have not taken sufficient care over the security of their data could face sanctions, even fines, from regulators.  

The GDPR represents the biggest change in EU data privacy law in a generation, and alternative investment management firms need to be prepared. The regulation applies not only to firms in the EU, but those outside Europe that have an establishment or provide services in the EU. Merely marketing funds in the EU could bring a third country firm in scope.

This issue is already front-of-mind for UK and other EU firms - for whom this is the next big regulatory challenge after MiFID2. But a number of firms in the US and other non-EU territories appear to have some catching up to do in order to be ready in time.

The regulation does not just apply to a firm’s own systems. Managers will also be judged on the data protection standards and policies of their service provider networks, such as administrators, consultants and law firms.

If a data breach occurs, firms will have 72 hours to inform the relevant authorities. Only the most egregious of breaches will result in penalties. But firms will still need to demonstrate that they have a clear understanding of what personal data is in their possession, why it has been obtained and how it is being used - including whether it is shared with entities outside the EU – and that firms implement the necessary systems and processes to meet the GDPR requirements. The future of their business may depend on it.

AIMA recently published a GDPR Implementation Guide, which is available to members on the AIMA website (here – log-in required). The 55-page Guide summarises the GDPR framework for alternative investment management firms and funds and looks at how the new rules differ from the current regime. It also contains a checklist of actions.