Following the introduction of Mifid II in January, 2018 has got off to a stressful start for many in financial services. But as advisers digest the enforcement of these rules, another major piece of regulation now looms large.
In a matter of weeks the EU’s General Data Protection Regulation (GDPR) comes into force. Due on 25 May, the rules bolster the existing rights individuals have over their personal data, as well as introducing more stringent requirements for how such information is treated by organisations.
GDPR requirements that affect intermediaries include the stipulation that any data they hold is accurate and up to date. Organisations must also have an individual’s consent to process their data and the subject can ask for this to be deleted, though some caveats apply. Firms must be able to produce evidence they are compliant with the rules.
Money Management explored issues such as these in November. Concerns have faded over issues such as clients’ ‘right to erasure’, but as the 25 May deadline nears, a number of other questions have become more urgent.
Given the amount of personal and sensitive data advisers handle, extending all the way to medical information in certain cases, intermediaries face significant scrutiny under the new regulation. The Information Commissioner’s Office (ICO) can impose fines of up to €20m (£18m), or 4 per cent of group worldwide turnover, against non-compliant entities.
But as with Mifid II, many affected businesses appear unprepared for the new rules, even as the deadline draws near. When asked whether advice firms are ready for GDPR, Rob Walton, chief operating officer at business management software provider Intelliflo, seems doubtful.
“From the people we engage with, we can tell how many have downloaded our papers [on GDPR],” he explains.
“We have probably around 60 or 70 per cent of firms downloading that content. That’s not bad, but even with those downloading the papers, you can tell by the questions you get that people are still quite far away. There are a lot of smaller firms that aren’t with the big networks who provide a lot of support.”
Like Mifid II, GDPR is a large body of work with many ins and outs. But with time running out, Mr Walton has urged advisers – and the third parties they may rely on – to focus on a handful of tasks ahead of the implementation date.
The first area he identifies concerns privacy notices. These already exist under the Data Protection Act 1998, but must be much more detailed under GDPR. Organisations must explain to affected individuals how their personal data is processed – notices must be free of charge and written in clear and plain language. They must also be concise, transparent, intelligible and easily accessible.
Firms need to provide such notices to ‘data subjects’ – those whose data they process – by the deadline. So businesses should contact active clients, but also seek out ways of reaching individuals who are harder to contact.