Data protectionMay 28 2019

Industry takes stock of data protection rules

twitter-iconfacebook-iconlinkedin-iconmail-iconprint-icon
Search supported by
Industry takes stock of data protection rules

There has been concern about the impact the General Data Protection Regulation could have on the advice market but one year on it seems little has changed.

Arguably one of the bigger regulatory changes to the advice market in recent years, the GDPR was enforced across the UK on May 25, 2018, affecting any organisation which holds or processes people's personal data.   

The rules give consumers the right to have their data erased, meaning they can request the deletion of personal data relating to them held by a company, and enforce penalties on those found to have misused or mismanaged clients' personal data.

Ahead of the changes some raised concerns about the financial and commercial impacts the requirements imposed by GDPR could have on advice firms, with suggestions advisers' lead lists and enquiries from online directories could be hampered if potential clients did not give their explicit consent to their data being held. 

Networks were concerned the rules could leave advisers unable to defend themselves against complaints to the Financial Ombudsman Service and detriment an adviser's cover with professional indemnity insurers

Advisers have now been working under the new rules for a year but it appears not all of these concerns have come to fruition, with some reflecting on the changes as a force for good and merely a reinforcement of good practices. 

Mark Turner, managing director of compliance and regulatory consulting at Duff & Phelps, said whilst the new rules may have had a shrinking effect on lead lists, this should ultimately create a more efficient process for contacting clients in the future. 

He said: "Firms will have experienced some reduction in the number of prospects in their databases however this is due to prospects opting out of communications they are not interested in.

"In many cases this narrower focus has saved time when compiling target lists for marketing campaigns or event invites.

"Those that have chosen to remain on distribution lists are those that genuinely want to hear about the services on offer and businesses can spend the time saved confidently reviving relationships with stronger leads and harvesting better returns." 

Reflecting on concerns surrounding an adviser's ability to defend an ombudsman claim under GDPR, as client data may have been erased at the request of the client, Mr Turner said it is important to remember companies are entitled to retain records and personal data for clients in order to defend themselves against claims and litigation. 

He added: "Whilst this is the case, firms may need to invest more time and resource ensuring their data management framework supports a careful consideration of the exact data retained for different purposes.

"The right to defend against a legal claim does not provide cover to retain any and all personal data of clients and should not be misused to avoid implementing a proper data retention schedule and framework.

"If an ex-client unsubscribes from a mailing list or requests a data processing restriction, these requests should be actioned in the spirit of fairness and transparency as far as reasonably possible to prevent complaints to the regulators which may prompt a more thorough tyre kicking of the entire compliance framework."

For Martin Brown, managing partner at adviser partnership Continuum, GDPR has done little more than remind advisers of the processes they should have had in place anyway.

He said: "A lot of GDPR should very much be common sense, such as making sure you have your own IT policy and making sure advisers are not, for example, going online on a train and working on client cases.

"So we reinforced our IT security policy and made sure it was embedded in the partnership.

"For central communications with clients, we've always incorporated the data back and forth in a secure portal and we've also tightened up on internal communications and built an in-house secure portal."

Mr Brown said in "this day and age" it is an "absolute must" that the advice market take the requirements under GDPR seriously. 

He added: "Arguably in a good way GDPR was dramatised to be a big deal, so as to encourage those companies who were miles away from doing what they should be to do something about it.

"But for those people running businesses with good common sense, it was just a case of making sure they tightened it up."

Nevertheless, the added administrative burden of GDPR must not be underestimated and Gus Hull, commercial consultant at The Lang Cat, said a year on from the introduction of GDPR he still comes across incorrect references or those relating to the old regime. 

He said: "For financial advice professionals, I think it would be fair to say that it has been, and remains, a struggle to ensure that all documentation, and particularly client-facing documentation, has been updated to capture and reflect GDPR." 

For Mr Hull, the struggle to implement GDPR will have fallen heaviest on those smaller advisers who are not part of a network. 

He said: "Although the Information Commissioner’s Office were supportive and did a lot of good work to assist businesses of all shapes and sizes, including a dedicated advice line for small organisations, the complex nature of the regulation and the sheer scale of the implementation requirements will mean that it’s an ongoing struggle to become, and remain, fully compliant."

Mr Hull said this also included the requirement to demonstrate and evidence compliance.

rachel.addison@ft.com

What do you think about the issues raised by this story? Email us on fa.letters@ft.com to let us know.