Data protectionMar 29 2018

GDPR: Data D-day draws near for intermediaries

twitter-iconfacebook-iconlinkedin-iconmail-iconprint-icon
Search supported by
GDPR: Data D-day draws near for intermediaries

In a matter of weeks the EU’s General Data Protection Regulation (GDPR) comes into force. Due on 25 May, the rules bolster the existing rights individuals have over their personal data, as well as introducing more stringent requirements for how such information is treated by organisations.

GDPR requirements that affect intermediaries include the stipulation that any data they hold is accurate and up to date. Organisations must also have an individual’s consent to process their data and the subject can ask for this to be deleted, though some caveats apply. Firms must be able to produce evidence they are compliant with the rules.

Money Management explored issues such as these in November. Concerns have faded over issues such as clients’ ‘right to erasure’, but as the 25 May deadline nears, a number of other questions have become more urgent. 

Given the amount of personal and sensitive data advisers handle, extending all the way to medical information in certain cases, intermediaries face significant scrutiny under the new regulation. The Information Commissioner’s Office (ICO) can impose fines of up to €20m (£18m), or 4 per cent of group worldwide turnover, against non-compliant entities.

But as with Mifid II, many affected businesses appear unprepared for the new rules, even as the deadline draws near. When asked whether advice firms are ready for GDPR, Rob Walton, chief operating officer at business management software provider Intelliflo, seems doubtful.

“From the people we engage with, we can tell how many have downloaded our papers [on GDPR],” he explains. 

“We have probably around 60 or 70 per cent of firms downloading that content. That’s not bad, but even with those downloading the papers, you can tell by the questions you get that people are still quite far away. There are a lot of smaller firms that aren’t with the big networks who provide a lot of support.”

Priorities

Like Mifid II, GDPR is a large body of work with many ins and outs. But with time running out, Mr Walton has urged advisers – and the third parties they may rely on – to focus on a handful of tasks ahead of the implementation date.

The first area he identifies concerns privacy notices. These already exist under the Data Protection Act 1998, but must be much more detailed under GDPR. Organisations must explain to affected individuals how their personal data is processed – notices must be free of charge and written in clear and plain language. They must also be concise, transparent, intelligible and easily accessible.

Firms need to provide such notices to ‘data subjects’ – those whose data they process – by the deadline. So businesses should contact active clients, but also seek out ways of reaching individuals who are harder to contact.

Mr Walton says: “They need to get privacy notices that are GDPR-compliant, at least for their active clients. They need to have that on their websites too, so [they reach] people they have dealt with before and can’t get easy access to.”

Similarly, if an organisation receives data about an individual from another person, even a partner or spouse, a privacy notice must be provided directly to the affected person. But this only applies if contacting them does not involve “disproportionate effort”.

Getting the house in order

Another important job is to establish a data inventory, detailing what data the firm has, where this was acquired and who processes it. The requirement for a data inventory applies to organisations with more than 250 employees, which will encompass some advice firms. But organisations that process certain sensitive forms of data must also comply, meaning smaller advice firms are captured by this requirement. This will prove a major piece of work, but such databases –  although onerous to establish – will be hugely beneficial under the GDPR regime.

Mr Walton adds: “You will know where to place data. If you have a breach, you will know what’s affected. If you have to change the processing, it’s going to make all of that much easier. It’s the same with things like the right to erasure, understanding where you have a legal basis and where you have to delete data.”

Other positives can be expected to emerge from GDPR compliance. John Stirling, a director at Walden Capital, says while he has discovered which of his external IT providers are up to speed with developments, for example, preparations could also help intermediaries to reassess their client bases.

Advice firm Sandringham Financial Partners is in the process of working through its client lists, which could help to reinvigorate certain relationships, says chief executive Tim Sargisson.

“We think there will be a list of clients advisers have regular contact with, and those they haven’t spoken to for five years. We have got to tidy it up,” he says.

“We are doing a contact strategy there. It’s a laborious process but the positive is it’s a great opportunity to re-engage with people and say ‘Hi, I’m here’.”

The harder they fall

Small entities often look most vulnerable to regulatory changes, given they have fewer resources than large organisations. But networks, sizeable advice businesses and other entities seeking to grow may have to radically change how they recruit new intermediaries under GDPR. 

Sandringham says its expansion strategy requires a rethink. “We have 155 partners. The approach to growing has been around calling advisers and presenting the proposition to them – that has been reasonably successful,” says Mr Sargisson.

“You buy a bank of data, [gathered] using public domains such as the FCA register. You then use that to contact advisers. If we look at GDPR, as a business we will be hamstrung in how we approach these people [because we cannot do that].”

As such, the firm needs to contact advisers before 25 May, asking for consent to get in touch in future. Generating future leads will require a new strategy.

“We have to be more creative and will go to more roadshows and conferences, where you can get commitments to contact people,” he says.

Other major organisations are less concerned. Adviser network Tenet also uses third parties to collate lists of adviser details and approaches them about becoming appointed representatives, but believes this practice is sustainable.

“The third party has to be GDPR-compliant [when providing us the data],” says Caroline Bradley, group risk and regulatory director. “They would have to ensure that they have complied.”

Large organisations such as Tenet have been busy with education and training programmes in the run-up to implementation. Smaller businesses may lack such resources, but help is at hand: the ICO recently produced a GDPR preparation guide for micro businesses to follow, as well as establishing a helpline.

Caveats and complaints

Though individuals have certain rights under the new rules, including the ability to request their data is deleted, specific caveats will prove vital for advisers. Some have previously complained that if forced to delete data, they will fall foul of the FCA’s record-keeping requirements. More severely, they might end up deleting data they may one day need to defend themselves against complaints or legal claims.

However, there are lawful grounds for not deleting the data. This includes cases where it is necessary for the performance of a contract with the subject, where it is needed to comply with a legal obligation, or where it is necessary for the purposes of “legitimate interests” pursued by the data controller or a third party.

The latter also helps in cases where intermediaries may wish to send literature  such as newsletters to clients. As this would be related to the services provided, firms can defend this practice unless a client specifically opts out.

Loose ends

There are other considerations that should figure in GDPR preparations. For example, firms should safely store data and have this backed up in case of breaches must be promptly reported. They should also be responsive to subject access requests, which involve an individual requesting to see the data held on them.

Another area to remember is training: if a firm has failed to train its staff in GDPR-compliant practices and then falls foul of the rules, it will be vulnerable to punitive measures. As with Mifid II, advisers may see that the consequences of this regulation become clearer after its initial implementation. But there will be little excuse, or leniency, for those who fail to prepare.