As in other industries, the GDPR does not just affect investment managers domiciled in the E.U. – it can have broad extraterritorial applicability. This two-part series breaks down how the key provisions of the GDPR impact advisers and private funds. This second article discusses the rights of data subjects, minimum requirements applicable to a processor, the role of a DPO, cybersecurity measures required by the GDPR, the obligation to report breaches of the GDPR and parallel legislation introduced in the U.K. in light of Brexit. The first article reviewed the driving forces behind the enactment of the GDPR, its territorial scope, the data-protection principles that apply when processing personal data, the legal bases pursuant to which in-scope firms may process personal data and the rules surrounding cross-border transfers of personal data. See “Using Technology to Comply With the GDPR” (Feb. 14, 2018).