We are scrutinizing a new topic: the EU’s General Data Protection Regulation, which becomes effective May 25th. It seems possible that some charitable organizations — and their endowment investment offices — might technically fall within the GDPR’s scope. Although the drive behind the GDPR was to strengthen data protections provided to EU consumers who interact with internet companies that gather and retain information, the precise balance to its reach is yet to be determined. As so often happens with a new regulatory requirement, broad language was used, little guidance exists on the application to investors, and future regulatory clarifications could easily eliminate burdensome and onerous requirements (or, of more concern, expand them). As if this were not enough, there exists a great deal of uncertainty as to how EU regulators will enforce the GDPR — initially and over time.
What is clear is this: an organization that is subject to the GDPR may have numerous compliance responsibilities and very significant potential penalties.
If you are interested in discussing these issues, so as to better enhance awareness of them by the endowment community, please contact Information@RegFG.com.
Given the present state of ambiguity, RFG has prepared an analytic approach for its retainer clients to use in considering the issue. Our analysis also highlights the key initial questions investment offices may want to use with internal control and governance groups to socialize the topic, and areas of risk and risk tolerances. Copies of the materials are available on RFG Pathfinder™ for retainer clients.