Advisers have only until May 2018 to comply with the General Data Protection Regulation (GDPR), which could see them need to drastically overhaul how they manage client information.
But a survey among 270 users of Intelliflo’s Intelligent Office found 67 per cent said they don’t have a plan for this.
Almost one in 10 said they were not aware of the new regulation at all.
GDPR introduces a number of regulations which will affect financial advisers, including the right to erasure, meaning an individual can request the deletion of personal data relating to them, and the right to access, meaning an individual can demand information on how their data is being used and a free copy of their personal data.
It also introduces the right to data portability, which means a person must be able to transfer their personal data from one system to another without being prevented by the handler of their data.
Meanwhile explicit consent must be obtained for the collection of data and all the purposes it is used for, while all data breaches must be reported within 72 hours.
Earlier this month Financial Adviser, FTAdviser’s sister publication, found concerns among networks that the rules would leave advisers unable to defend themselves against Financial Ombudsman Service complaints.
This was because financial advisers could find themselves forced to delete information at the request of clients, only to face complaints being made to the Fos which they are unable to defend.
Rob Walton, chief operating officer of Intelliflo, said: “Although May might seem like a long way off, it’s actually very little time for advisers to start preparing for the enforcement date of GDPR.
“It’s not the case that if you are compliant with the current Data Protection Act, then there’s little to worry about.
“The new regulation is far more detailed, with new obligations and requirements and it’s essential that advisers can demonstrate that they have taken action to ensure they are fully meeting these.
“Personal data is the very essence of financial advice therefore GDPR could have a significant impact on most, if not all, firms.
“Our survey throws up some worrying results and I urge advisers to act now to get a firm grasp on what it means for them and their businesses.”
The survey found widespread confusion about the differences between the existing Data Protection Act and the new requirements under GDPR, with just three in 10 saying they understand the differences very well.
Of the rest, around a third – 32 per cent – said they have a little understanding of the differences, with almost four out of 10 – 39 per cent – saying they don’t understand the differences well, or not at all.
Meanwhile three quarters (74%) of those surveyed were not concerned or didn’t know about the impact GDPR will have on their businesses.
GDPR includes steep fines for non-compliance, which for the most serious infringements can reach a maximum of 4 per cent of annual turnover or €20m, whichever is greater.
The EU has defined data as being any information relating to a person which can be used to directly or indirectly identify that person, including a name, a photo, an email address, bank details, posts on social networking websites, medical information or a computer IP address.
damian.fantato@ft.com
