Data protectionFeb 22 2018

New data rules could destroy advisers’ lead lists

twitter-iconfacebook-iconlinkedin-iconmail-iconprint-icon
Search supported by
New data rules could destroy advisers’ lead lists

Advisers have been warned they will need to cull potential clients from their databases of prospects from May if those on the lists do not explicitly consent to their data being held.

Under incoming European regulations, consumers will be given more control over their data and will be able to ask companies to delete it.

Advisers using online directories which bring together financial professionals with those seeking their services will also have to make sure any enquiries they get this way comply with the new rules.

One of the leading directories, VouchedFor, has warned it will not be doing this on their behalf. Rival Unbiased did not confirm its position despite repeated requests.

Lorraine Mouat, a specialist on the new rules, the General Data Protection Regulation, at compliance consultancy TCC, warned advisers a lack of response from clients on whether they could hold onto their data would not amount to consent.

She said: "Prospect lists should be treated in the same way as any personal data that a firm holds. First and foremost, firms need to make sure they have identified the legal basis they will be relying upon for processing any personal data relating to prospects.

"Then they will need to carry out a data audit to understand where all the personal data is stored. Using this information, firms will be better placed to undertake a data cleanse on all existing prospect data to ensure that only data that is necessary for a specific purpose is retained.

"Dependent upon the legal basis that firms are relying on, it may be necessary to review and update current consents to comply with the new requirements. Firms will need to ensure that they do not make contact with anyone who has previously withdrawn consent and they must provide a clear and easy mechanism for withdrawal of such consent.

"Where this is not possible, or where re-consent has not been gained, the data will need to be deleted or anonymised. Remember that lack of response does not equal consent."

She added using data for marketing without the consent of the person it belonged to would be effectively illegal from 25 May.

The Information Commissioners Office has a range of powers to enforce GDPR, including warnings, reprimands, temporary or permanent bans on handling data and fines based on the size of the firm - up to €20m (£17.7m) or 4 per cent of annual turnover, whichever is greater.

It has also the right to order the deletion of data.

Caroline Bradley, risk and regulatory director at Tenet, said the network, among the UK's largest, is recommending to its members that they review their client databases to make sure they have the correct consents in place.

She said: "The key to keeping marketing activities compliant revolves around ensuring advisers  have proper consent to market to their existing and potential clients. The level of consent varies depending on whether the marketing is done by email, telephone or postal mail."

GDPR introduces a number of regulations which will affect financial advisers, including the right to erasure, meaning an individual can request the deletion of personal data relating to them, and the right to access, meaning an individual can demand information on how their data is being used and a free copy of their personal data.

It also introduces the right to data portability, which means a person must be able to transfer their personal data from one system to another without being prevented by the handler of their data.

Meanwhile explicit consent must be obtained for the collection of data and all the purposes it is used for, while all data breaches must be reported within 72 hours.

VouchedFor has said it is up to advisers to make sure they are handling data which comes through its service in a compliant way, meaning it will not be carrying out this service on their behalf.

A spokesman for VouchedFor said: "We have an appointed data protection officer in place and a clear roadmap of work underway to ensure that we are fully compliant with GDPR well ahead of the deadline.

"As far as consumers are concerned - connecting consumers with advisers is a core part of our service, therefore our GDPR obligations are largely addressed through establishing and recording legitimate interest.

"This also means that advisers are not classed as data processors of VouchedFor, they need to ensure the management of their database - which may contain enquiries from us - is GDPR compliant."

A spokesman for Unbiased said: "Data and data privacy is very important to Unbiased and, like adviser businesses, we are working to ensure that we are compliant with the GDPR regulations ahead of May.

"Enquiries shared between Unbiased and the advisers will fall under GDPR regulation. Both parties need to ensure they share and process data with each other in a GDPR compliant way."

damian.fantato@ft.com