Unintended consequences of GDPR

One year after its introduction, the European Union’s General Data Protection Regulation (GDPR) has had unintended consequences according to a leading expert on asset management regulation.

Regulation consulting firm Laven Partners said the GPDR has made it hard to track cyber criminals, due to restrictions on processing web domain registration details, such as names and addresses. Another unintended result has been “opt-in fatigue” with individuals becoming tired of being asked to consent to policies that they have not read about in relation to how their data will be used. This means that they lose their privacy rights brought in under GDPR. The GDPR was also intended to address the dominance of tech giants such as Google and Facebook, but these companies have the scale and resources to deal with additional compliance requirements in digital advertising that smaller, independent firms lack.

For the asset management industry, the GDPR was seen as having an impact on fund managers, rather than fund vehicles. However, Laven Partners said that it has seen that while managers have become GDPR compliant, funds have not, leaving funds and investors exposed to the risks of non-compliance. It commented: “What adds to this risk is that service providers, notably administrators, often define the fund as the data controller of the data that they process on the funds’ behalf. Consequently, funds have ended up bearing the ultimate liability for any potential non-compliance, without accurate provisions to mitigate such risk.” It warned that the consequences for non-compliance include financial fines of EUR20 million or 4% of turnover, whichever is greater, but also their reputation, which could be a disaster for liquid funds, where ensuing redemptions could kill the product.