By Miles Reucroft, Intelliflo
We recently ran a survey among 270 users of our Intelligent Office practice management system to gauge the readiness of UK financial advisers for the forthcoming General Data Protection Regulation (GDPR). It is, after all, arriving on 25 May 2018.
- GDPR promises to have a significant impact for advisers so requires some attention
- Many advisers don’t yet have a plan for compliance
- There are a number of key changes, including access and portability requests for which advisers need to start preparing
That date may seem a long way off, but for many firms, GDPR will have a huge impact so getting into position early is vital. It fundamentally alters how firms can handle and process data - a core activity in any adviser’s day.
Yet our research found that 67% of advisers do not have a plan to ensure GDPR compliance. Furthermore, 9% were not even aware of what GDPR is.
The changes that advisers need to start preparing for now are:
Access requests – current and former customers will be able to request comprehensive access to the data that you hold on them. How will you comply with this and provide the data?
Portability requests – customers may choose to leave for a competitor and it will be required that you hand over all data to the new firm in an easily readable format.
Data accuracy – it is unacceptable under GDPR to hold inaccurate and irrelevant information. If you hold data on customers’ sexual orientation or religion, for example, consider whether you really need this. If you do not, then delete it. All other data will need to be kept accurate as far as is reasonable. How will you make reasonable efforts to ensure that your data is accurate?
Reporting data breaches – if your system is hacked or you lose data, it will need to be reported to the ICO within 72 hours. Where the rights and freedoms of the individuals whose data has been compromised is threatened, you will also need to inform them of the breach. There is a very real danger of reputational damage occurring here.
Contact only those who wish to be contacted – it will no longer be acceptable to send newsletters and company communications to people who have not expressly consented to receiving such communications. You will need their approval. Communications that fall under the performance of a contract, e.g. portfolio valuations, can still be sent, but marketing communications need consent from the recipient.
This is just a snapshot of the changes that are going to be implemented. Some of the regulation appears to contradict other regulation, too, so you need to be aware of the hierarchy. For example, advisers need to retain legacy information on previous clients in case of future litigation. This can override the right to be forgotten under GDPR, where individuals can instruct you to delete the data that you hold on them.
It is understandable that many have shied away from tackling GDPR head on – it is not easy, on the face of it, to make fundamental changes to your business.
Intelliflo has, however, produced a range of comprehensive materials on GDPR for financial advisers. We have set up a specific GDPR page on our website which contains overviews of the regulation and what you can proactively do to prepare.
We have also established a GDPR Working Group amongst our clients which is intended to find common ground for all advisers to be able to clearly comply with GDPR. You can discover what your industry peers are doing around GDPR here.