Changes to privacy notices under the new General Data Protection Regulation (GDPR) could mean adviser firms “leave themselves exposed”.
Rob Walton, chief operating officer at data processor Intelliflo, told FTAdviser what adviser firms need to do ahead of 25 May, when the European Union-wide General Data Protection Regulation (GDPR) comes into force.
In the latest FTAdviser video, He flagged changes to the way privacy notices would work under the General Data Protection Regulation (GDPR) and urged advisers to read Article 13 and Article 14 of the new legislation.
Mr Walton said: "Article 13 is much like the previous data protection regime. You have to provide a privacy notice to people who provide you with their information so you explain why you are taking it, what you are using it for (and) how long you are going to keep it for.
“Article 14, however, extends beyond that in that it says you have to provide a privacy notice to connected individuals.
“What does this mean in practice?”
"It means that if I were an adviser and I was advising you, you maybe tell me something about your partner or husband.
“Potentially, the reason we are talking right now is they are currently undergoing treatment for a medical condition and you need to make sure the finances are in order should the worst happen. That is a special category of information.
"I, as an adviser, would have to make sure I provide a privacy notice to your partner/your husband also.”
Mr Walton warned: "Obviously, this is a big change for the industry. This is one of the big areas where firms could potentially leave themselves most exposed.”
He previously told FTAdviser he was concerned General Data Protection Regulation (GDPR) would create the next ‘no win, no fee’ industry, as Article 82 “allows the data subject, so an adviser’s client, to sue the data controller, [that’s] the adviser, or the data processor”.
“They could sue either of us if something were to happen that impacted the rights and freedoms of the individual,” he noted.
Mr Walton flagged that privacy notices could also cause an issue.
He offered an example: “A husband finds out his wife, many years ago, they’re now getting divorced, has provided information to an adviser about a medical condition and the adviser never gave him a privacy notice. Very likely, they have got every opportunity to sue there.”
The financial services industry has often been accused of operating with legacy technology and systems, so Mr Walton agreed General Data Protection Regulation (GDPR) would help asset managers and adviser firms to upgrade their data storage systems.
He said: "We’ve seen a lot of demand from people looking to move to newer technology, so that they can benefit from things like customer portals."