They need to ask the very basic question: Does GDPR apply to me? The considerations that need to be taken into account are: whether they have EU investors, whether they have any sort of representative offices in the EU and whether there are employees in the EU.

Then it gets a little grayer. The one that catches a lot of firms is whether they even have any marketing efforts aimed toward EU investors. For example, if you have a website, or if a firm has documents that they’ve translated into local languages or a fund offering is in euro-denominated shares, you’re going to be caught up in GDPR.

We also need to look at the effect of GDPR on portfolio investments. For example, a hedge fund manager of a debt fund may get information on the personal data of underlying private debtors in the EU. That would bring the fund under GDPR and subject to all of the requirements, as well as very significant financial penalties if GDPR regulations aren’t followed.

The penalties are potentially expensive for blatant violations — the fines go as high as 4% of an organization’s annual worldwide revenue or 20 million pounds, whichever is greater. So if you’re talking about a global asset manager, for example, the penalties are just mindboggling. There is a tiered approach to fines. For example, in what is considered a less material violation for not having appropriate books and records related to GDPR, the fine can still be as high as 2% of an organization’s annual worldwide revenue.