Once the initial fervor over GDPR implementation dies down, companies will have to ensure that their program is properly maintained long-term. This final installment of our three-part GDPR series for the financial sector addresses how to monitor and assess the program and examines special considerations – such as determining the identity of controllers and processors and accounting for Member-State specificities. The first article in the series discussed the current state of compliance in the financial sector, the extraterritorial applicability of the GDPR, its relationship to U.S. laws, enforcement priorities and the risk of collective action. Part two detailed specific compliance steps and how to preserve defenses to a class action that companies may be unwittingly waiving. See “What Are the GDPR’s Implications for Alternative Investment Managers? (Part One of Two)” (Jun. 20, 2018); Part Two (Jun. 27, 2018).