GDPR: Bigger than Mifid II for advisers?

GDPR: Bigger than Mifid II for advisers?

Advisers with an eye on upcoming regulation already have one date circled in next year’s calendar: on 3 January Mifid II comes into effect, meaning a substantial amount of work is currently under way for intermediaries and other industry participants in areas such as client reporting. 

But those losing sleep over this should not forget to prepare for another sweeping piece of regulation due in 2018.

Mifid II requirements have become a focus of growing concern within financial services, particularly as many firms appear to have left just a handful of months to prepare for the changes. The associated clamour is likely proving a distraction from a challenge of equal significance: the EU’s General Data Protection Regulation (GDPR) rules, which come into force on 25 May 2018.

Article continues after advert

This piece of regulation gives individuals new rights surrounding their personal information, including the ability to demand such data be erased in specific circumstances. GDPR also significantly increases the level of scrutiny on how this data is treated by companies. The EU regulation will be enshrined into UK law next year, meaning it will not be affected by Brexit.

The effect of the regulation on advice firms will be substantial, given the amount of information such businesses hold on customers past and present.

“This could have a really serious impact on this industry when you think of how much data is involved and how it’s stored,” explains Rob Walton, chief operating officer at Intelliflo, a provider of business management software. 

He adds that his firm has only had “a few interactions” with advisers about the regulation in recent months, suggesting many are unaware of the task ahead.

The regulation is daunting in its scope. Under accountability and governance principles, firms will be responsible for how they collect, store and use personal data. This includes keeping evidence that adequate processes are in place, including data protection policies, impact assessments and relevant documents showing how such information is processed.

Scrutiny will be applied to whether consent has been granted by individuals for their data to be used – meaning clients must grant explicit permission to companies that use their data, with a demand that this consent be “clear and distinguishable from other matters and provided in an intelligible and easily accessible form”.

Key guidelines

Box 1 outlines four important points for advisers, but these are just some of the requirements. For intermediaries, the initial process of working out whether their activity is compliant with the new rules could be a mammoth task in itself.


One requirement indicating the potential size of the workload involved relates to whether data is stored, and shared, in a secure manner. Jamie Vale, of technology firm StayPrivate, warns that one common way for clients to send personal information to advisers – via email – falls short of requirements for secure storage. This method of sharing data can lead to copies of information proliferating rapidly, meaning advisers may need to make a large backlog of information secure before the deadline.

“If you are sharing information with a customer you need to do it in a secure and anonymised way. Most advisers share that via email, which is not secure,” he says.