Earlier this year at one of the DISCUS seminars, a quick show of hands from financial advisers indicated many were unclear about their responsibilities under the new General Data Protection Regulation (GDPR), which comes into force on 25th May 2018.
The deadline is fast approaching and we believe many firms are still not clear of their obligations. We spotted this extremely helpful 10-point guide produced by our friends at Intelliflo and thought we should share it as a reminder.
The 10 points covered:
1. When does GDPR kick in?
2. What are the penalties?
3. Brexit will not save you
4. How can you end up before the regulator?
5. How do I report, and to whom?
6. Accurate data only
7. Contact legacy clients now
8. Portability, availability and the right to be forgotten
9. Privacy by design
10. Show your workings
You can access the full document here, but we thought we would highlight a couple of the above points in more detail:
Contact legacy clients now
If you wish to continue to contact legacy clients and prospects, then you need to gather the evidence that they wish to be contacted by you now. After 25th May, sending out requests for permission to contact people will constitute as a breach, since you do not have consent from them to undertake such an activity. If you seek permission and no affirmative action is taken by the individual being contacted, this does not constitute consent under GDPR and you will be unable to contact that individual again.
Of course, with clients and legacy clients, some contact is necessary for the performance of your contract with them, such as portfolio valuations and statements. These are necessary touch points. Marketing a new investment proposition, for example, is not and requires unambiguous consent.
Portability, availability and the right to be forgotten
GDPR empowers individuals to take greater control over the processing of their data, including moving their data from one provider to another. Upon receipt of such an instruction from a client, you will need to provide their data without undue delay, within one month. The data should be made available in an easily readable electronic format, such as Word or pdf. This doesn’t mean that you need to bring your data in line with other firms or an industry standard, just that it can be easily understood by the recipient.
Finally, individuals can request that you forget them, i.e. delete them from your database. For financial advisers, where previously advised clients may have legal recourse on your engagement with them, the request to be forgotten can be refused, but only where you will need the data in future circumstances. Otherwise the data you hold on them must be deleted.
Wenda Field, Sales Director at Intelliflo said
“If firms are unsure of their obligations under GDPR, then I would encourage them to read our guide. We have had a lot of interaction with firms that are putting their plans in place to be compliant with the regulation now and our guide has been produced on the back of consultation with our clients and partners. There are some specific challenges facing the financial advice industry in GDPR, so if you haven’t got round to looking at it yet, there is still time, but it advisable to understand your obligations as soon as possible.”
If you have any questions regarding GDPR please leave a comment below.