2 minute read 14 Aug 2018
back of woman walking through corridor of safety deposit boxes

What GDPR means for the asset management industry

While the impact of GDPR is most obvious on companies that hold and process consumer data, asset managers cannot afford to be complacent.

GDPR — what does business as usual look like?

Having worked feverishly toward day-one compliance, asset managers are also keenly aware that GDPR requires an ongoing strategic data protection effort. Here, we outline some of the ways in which the GDPR specifically affects the asset management industry, and how asset managers can embrace a sustainable and strategic data privacy approach through an intelligent data privacy framework.

Once the initial implementation deadline for the GDPR passed — and asset managers achieved all the requirements for compliance — many larger firms started thinking about GDPR 2.0. Now that the initial rush to achieve day-one GDPR compliance is in the past, what does the business as usual (BAU) operating model look like for asset managers? To answer this question, we first need to have a complete picture of how the GDPR impacts a typical asset management organization.

What has asset management data got to do with GDPR?

The type of data being processed varies widely depending on the type of asset management organization:

  • Asset managers typically have personal data relating to any “direct to customer” retail products, as well as alternatives products (particularly real estate). Asset managers whose customer base is institutional or corporate only are less exposed to the effects of GDPR. 
  • Outsourced asset servicers process some personal data on behalf of asset managers and wealth managers. Therefore, depending on the nature of the outsource arrangement, they also process significant amounts of personal data. 
  • Wealth managers and private banks have a lot of sensitive personal data relating to high-net-worth and ultra-high-net-worth individuals.

Impact of the GDPR on asset managers

  • Expanded notices about how personal information is to be used 
  • Limitations on retention of personal data 
  • Increased requirements to delete or hand over an individual’s information upon request 
  • Mandatory data breach notification requirements 
  • Requirements to maintain records of data processing activities and transfers of personal data 
  • Higher standards for data controllers to demonstrate that they have obtained valid consent for certain data processing activities


GDPR should not be seen as a mere compliance exercise — it offers the opportunity to implement best practice data protection protocols that safeguard your company’s most valuable assets: your employees, your clients, your investors and your reputation. Download the full report (PDF)

About this article


EY FS Insights

Minds Made for Financial Services