Tannenbaum Helpern Syracuse & Hirschtritt, LLP
About Us Careers Contact Us Search
Home Practice Areas Industries Case Results Attorneys Publications Events Press Room

General Data Protection Regulation Affects Investment Advisors with EU Clientele

Click here to download PDF

The European Union (“EU”) recently enacted the General Data Protection Regulation (“GDPR”) which will take effect in May 2018. The GDPR is a sweeping regulatory regime designed to protect the personal data of EU residents (i.e. natural persons residing in the EU) and to give them control over their personal information. Although the regulations were enacted in the EU, any entity around the world that processes the personal data of EU residents is subject to the GDPR. In other words, any investment advisor with clients in the EU must comply with the GDPR.

Penalties for violating the GDPR can be quite punitive, with fines up to €20 million or four percent (4%) of an entity’s annual worldwide revenues. Given the wide reach and potential consequences of non-compliance, it is important that investment advisors with EU clients be aware of the GDPR’s requirements and have proper programs in place to adequately safeguard the data that falls within its ambit.

U.S. federal and state law requires businesses to safeguard the personal data of their clients. Under the Gramm-Leach Bliley Act, financial institutions must adopt security measures to safeguard client information (as with the GDPR, this requirement applies to clients who are natural persons). Pursuant to the Gramm-Leach Bliley Act, the SEC released Regulation S-P, which sets forth the privacy policies that an SEC registered investment advisor must adopt to adequately protect the non-public information of its clients (investment advisors not registered with the SEC must comply with the Safeguards Rule promulgated by the FTC). Such policies include: the adoption of written policies and procedures, the identification of potential risks that could compromise confidential information and the periodic assessment of compliance procedures to ensure that adequate protections are in place. While the requirements of Regulation S-P will likely overlap with some of the provisions of GDPR, the GDPR will also impose additional requirements on investment advisors with respect to their EU clients.

Rather than providing a checklist of action items deemed to be adequate safeguards of personal data, the GDPR identifies a set of principles including data security, accountability, lawfulness, purpose limitation and data minimization. Given the general nature of the principles, the method of compliance with the GDPR is open to interpretation. EU Member States are currently adopting laws and regulations that implement the GDPR principles.

Although the GDPR does not provide much specific guidance for compliance, particularly for investment advisors outside of the EU, investment advisors can take concrete steps right now to better prepare themselves. These steps include the following:

  • One of the key components of the GDPR is that EU individuals must provide their affirmative consent for their personal data to be used. Obtaining such individuals’ general permission to use their personal data will not be sufficient; rather, these clients must consent to the specific intended uses. Subscription agreements may need to be updated to ensure that client consent is given in the appropriate manner with representations that adequately specify the potential use of client data (e.g., to satisfy KYC obligations).
  • All personal data of clients must be accurate and up-to-date. Investment advisors should take an inventory of their client data and update it as necessary to ensure that all information is current and correct. While it remains unclear how frequently such an inventory will be required under the GDPR, a good starting point is for investment advisors to review such information in the course of their next regularly scheduled compliance review.
  • Investment advisors should ensure that their service providers are aware of the GDPR and that they are taking the appropriate steps to implement the Regulation. The GDPR requires that personal data may be processed only within the parameters of clear instructions with respect to such data. Contracts with third party service providers may need to be amended to reflect the new requirements.

* * *

For more information or if you have any questions regarding the topic discussed above, please contact the attorney with whom you work regularly or any of the following in our Financial Services, Private Funds and Capital Markets practice group:

Michael G. Tannenbaum

(212) 508-6701


Wayne H. Davis

(212) 508-6705


Michele Gibbs Itri

(212) 508-6732


Beth Smigel

(212) 702-3176


Emma Brady

(212) 508-6775


Daniel Altabef

(212) 508-6782


BulletPoint® is a newsletter of Tannenbaum Helpern Syracuse and Hirschtritt LLP’s Financial Services, Private Funds and Capital Markets Department. It is an alert covering recent regulatory and tax developments impacting the financial services industry and its players. To subscribe for the newsletter, send email to marketing@thsh.com.

General Data Protection Regulation Affects Investment Advisors with EU Clientele
Business Litigation Bulletin
Employment Notes
Note from the Real Estate Group
THSH E-Alert
Other Publications
Articles By Topic
Cyber & Privacy Alert
New York Law Journal
Attorney Professionalism Forum
Join Our Mailing List
Like us on FaceBook Follow us on Twitter Get LinkedIn with us Pin It! Email Us Print this Page

Sitemap |Terms of Use | Privacy | Attorney Advertising

Tannenbaum Helpern Syracuse & Hirschtritt LLP provides legal advice only to individuals or entities with which it has established an attorney-client relationship and such advice is based on the particular facts and circumstances of each matter. Contacting us through this site, or otherwise, will not establish an attorney-client relationship with us. Any e-mail or other communication sent to THSH or its lawyers through this site will not be treated as subject to the attorney-client privilege or as otherwise confidential and you should not include any confidential information in any such communication.