Can a bank or financial services firm partially comply with the GDPR? Some say it is an all-or-nothing proposition, but others assert that some economical steps can take a U.S.-based entity with limited E.U. contact most of the way. In this article, we discuss some of those compliance steps and how to preserve defenses to a class action that companies may be unwittingly waiving. The first article in the series discussed the current state of compliance in the financial sector, the extraterritorial applicability of the GDPR, its relationship to U.S. laws, enforcement priorities and the risk of collective action. The third installment in the series will examine special considerations of the law – such as determining the identity of controllers and processors and accounting for Member-State specificities – and will provide advice on monitoring ongoing compliance. See “What Are the GDPR’s Implications for Alternative Investment Managers? (Part One of Two)” (Jun. 20, 2018); Part Two (Jun. 27, 2018).