The race to meet the May 25 deadline for the EU's General Data Privacy Regulation is a race that many hedge funds and other buy-side firms do not expect to finish.
It is not feasible for a fund to invest in all of the technology and teams to manage all of the processes related to GDPR, Chris Grandi, CEO of private-cloud host Abacus Group, told Markets Media.
"It is like 15 years ago when nobody really had a chief compliance officer, but then everyone was required to have one," he said. "Most of the people who took the title were not compliance people."
Many firms find addressing the gray areas generated by the regulation's principle-based approach challenging.
"The regulation comes out from a 20,000- or 30,000-foot perspective, but it is really those areas down low of which you have to be cognizant," said Grandi. "Would it ever get down to the level of detail on how you would encrypt data on a remote drive that you plan to take on vacation? No. They would never go that far."
For those firms that do not meet the regulation's deadline, their only option is to play the odds that the regulators with their limited resources would not be able to audit everyone starting on the first day when GDPR goes into effect.
Many firms look to complete 10 to 20% of the necessary process and plan to show they have achieved progress if they happen to get audited.
"I understand the strategy because there is no way that everyone can get audited," said Grandi. "However, the pricing on the GDPR fines is frightening. It's a question of whether the regulators will lay out those fines."
Abacus Group expects to attain GDPR compliance in sometime between late April and mid-May using similar methods for obtaining its SSAE, SOC 1 and SOC 2 as well as EU-US Privacy Shield certifications.
"It is not a simple process to get compliant and really adhere to it," he said. "You have these third-party organizations come in and certify you. Then it becomes a check in the box more than anything else."
Abacus Group has also spent time with its clients to make them aware of what the cloud provider has and does. Beyond providing improved transparency into its processes, the vendor will not take on the GDPR responsibilities and risks of its clients.
"If there were GDPR issues at the fund level, it is not like they could turn to the EU regulator and say that it is an Abacus issue," said Grandi. "It is not because Abacus is not required to be GDPR compliant, but the client is."