Questions to ask about buying client data under GDPR

Phil Young

Phil Young

Advisers are all too aware that the next wave of regulatory reform is never far away.

While the aftershocks of Mifid II are still being felt, advisers are in the midst of gearing up for the next set of rule changes looming on the horizon, the General Data Protection Regulation (GDPR).

While the regulation covers a wide range of business functions, a lot of the work advisers will be preparing for will involve managing supply chains to ensure the third parties they pass client data onto for processing also understand their responsibilities under the new rules.

Unlike the Data Protection Act, GDPR makes it mandatory to have a contract in place with any third party you pass data to. This includes fund groups, discretionary fund managers (DFMs) and platforms, as well as outsourced administrators, paraplanners and compliance people.

This applies whether the processing is automated, for example, a cashflow modelling tool, or non-automated, such as a DFM which is passed client information in order to construct a portfolio.

Crucially, if you pass your own processing obligations to a third party who gets it wrong, you remain directly liable to the client for fulfilment of these obligations.

As when outsourcing compliance or paraplanning, you can build in terms into contracts with third parties which allow you to claim damages from them should you be sued or fined for their negligence, but those third parties cannot take direct responsibility and stand in your place even if they were at fault.

Buying or selling client data

This most commonly occurs when buying marketing lists or leads. You can only sell a marketing list if you have the consent of individuals to do so.

This consent needs to be specific, i.e. a third party contacting them, not just the business selling the list.

When buying a direct marketing list you will need to undertake due diligence on the seller, asking questions such as:

  • Who compiled the list? Has it been amended or updated since?
  • When was consent obtained?
  • Who obtained it and in what context?
  • What method was used, for example, was it opt-in or opt-out?
  • Was the information provided clear and intelligible?
  • Did it specifically mention texts, emails or automated calls?
  • Did it list organisations by name, by description, or was the consent for disclosure to any third party?
  • Has the list been screened against the Telephone Preference Service? If so, when?
  • Has the individual expressed any other preferences regarding marketing calls or mail?
  • Has the seller received any complaints?
  • Is the seller a member of a professional body or accredited in some way?

Any reliable vendor should be able to answer these questions easily as they are those suggested in the Information Commissioner's Office's (ICO’s) direct marketing guidance.

If you buy leads on an individual basis, for example from VouchedFor or Unbiased, the same requirements apply.

Purchasing a client bank

It’s easy to think advisers rarely buy or sell marketing lists or client data.

However, where a client bank, or goodwill, rather than the equity in a business is acquired, that’s exactly what is happening.

As you cannot bulk novate across adviser charges, you must get each client to agree to pay you an adviser charge under your own client agreement. This means you are effectively buying a marketing list from the seller and little else (other than any trail commission still being paid).

The best way to manage this is to encourage the selling adviser to help by contacting clients, advising them of the sale of the business, explaining who the buyers are, and explaining the process for signing new client agreements.