Now that the effective date for the recast Markets in Financial Instruments Directive has passed, investment managers across the E.U. and beyond have turned their attention to implementing policies and procedures to enable them to comply with the E.U.’s General Data Protection Regulation (GDPR), which is scheduled to become effective on May 25, 2018. Although the GDPR will primarily affect investment managers and private funds domiciled in the E.U., it will also have broad extraterritorial effect, as investment advisers and funds domiciled outside of the E.U. will likely periodically process personal data of natural persons, especially where the investment manager or fund accepts investments from E.U. investors. In this two-part guest series, Oliver Robinson, associate director of the Alternative Investment Management Association, breaks down the key provisions of the GDPR and how they may affect advisers and private funds. This second article discusses the rights of data subjects, the minimum requirements applicable to a processor, the role of a “Data Protection Officer,” the cybersecurity measures required by the GDPR, the obligation to report breaches of the GDPR and parallel legislation introduced in the U.K. in light of Brexit. The first article reviewed the driving forces behind the enactment of the GDPR, its territorial scope, the data-protection principles that apply when processing personal data, the legal bases pursuant to which in-scope firms may process personal data and the rules surrounding cross-border transfers of personal data. For more on the GDPR, see “The Challenges and Benefits of Multi-Factor Authentication in the Financial Sector (Part Two of Two)” (Nov. 9, 2017).