What are the key areas for adviser firms to address?

But for financial advice firms, GDPR comes hot on the heels of Mifid II and Priips, which were introduced at the start of 2018, and it may seem like yet more regulatory burdens for adviser firms to take on.

This could be why so many adviser firms have much more work to do before the 25 May deadline.

According to research by Intelliflo during mid-February to early-April 2018, 245 users of its Intelligent Office (iO) suite of business management tools completed a survey testing their knowledge about the new regulation and the results reveal around one in five, or just 18 per cent, reached ‘expert’ status, scoring between 90 per cent and 100 per cent.

In a press release from Intelliflo, it details almost three in five, or 58 per cent, who took part reached ‘pro’ status, scoring between 60 per cent and 90 per cent, while just under a quarter were still at the ‘rookie’ stage, with a score anywhere up to 59 per cent.

Rob Walton, chief operating officer at Intelliflo and and chairman of its GDPR working group, points out: "The message about needing to take action to comply with the GDPR is definitely getting through to advisers.

"Last September we found that around 9 per cent weren’t even aware of the new regulation. The knowledge survey shows that around 99 per cent now do know about it and the majority are taking steps to increase their understanding of the regulation, although there’s still plenty of scope for improvement.”

The risks of not complying though are high and for many of us, data is a hugely personal issue so it is easy to understand the importance of protecting clients’ data.

David Marchese, consultant at Gordon Dadds, highlights: “The key point for financial adviser firms is that data protection is a key risk area – get it wrong, and you could expose your firm to considerable penalties, as well as loss of reputation in the market.”

He acknowledges the raft of changes that may need to take place within an adviser firm in order to comply with the new data protection regulation.

Employee training is hugely important, since breaches under the regulation can come from any part of an organisation – it is not just the responsibility of management.Rob Walton

“It requires changes in technological and organisational systems, and in the design of new products and services. And yes, it requires employee training, just as in any other regulatory area,” Mr Marchese confirms. 

He continues: “Then they also need to check their technology contracts, particularly where they use cloud-based software services. 

“And while they should already have examined the basis on which they interact with US and other non-EU entities, they need to do so especially for the GDPR.”

That is a long to-do list.

Awareness of GDPR

Firstly, awareness of GDPR among staff and ensuring all employees receive training is of utmost importance.

Mark Greenwood, regulatory policy manager at The SimplyBiz Group, says: “The first key step is awareness, and firms should ensure all staff have an understanding of GDPR and have evidence to support this, ensuring that they have appropriate consent from clients on how their data is used.”

"Employee training is hugely important, since breaches under the regulation can come from any part of an organisation – it is not just the responsibility of management," flags Mr Walton.

"A lot of this centres on cyber security – do employees know how to spot phishing emails? Do they know what to do if they lose data or laptops?" he asks.

Crucially, it is not just one department within an adviser firm for whom knowledge of GDPR will be necessary.

Mark Ehlinger, head of regulatory and professionalism services at Focus Solutions, suggests employee training within adviser firms on the practical and consequential implications of complying with EU GDPR is vital.

“GDPR is not owned by one department, like IT, human resources or marketing - it is everyone’s responsibility,” he points out.

“Typically, clients think of their bank account or the amount of their annual income as sensitive information. However, the definition of sensitive personal data is rather different.”

He says some of the areas for adviser firms to consider are:

• Consent – close attention to clients’ rights under the EU GDPR, and how their firm will be capable of responding to these rights. A clear understanding of how personal data flows in and out of the adviser firm. 
• Data minimisation – establishing effective processes to identify where held data is no longer necessary to retain.
• Management information – effective systems for recording breaches, and establishing which are ‘material’ such that they are reportable to the ICO.
• Governance and oversight – this is not a one-off exercise, it requires proportionate oversight, and review of data processes, contractual arrangements relating to storing and processing of personal data.

Alongside ensuring every single employee is clued up about GDPR and what it means for them and their clients, firms will need to scrutinise their internal systems and processes.

Linda Gibson, director of regulatory change and compliance risk at BNY Mellon’s Pershing, explains: “Firms need to review and document how they collect, handle and store data to make sure they are compliant – this means looking at everything from information security and records management, to data sharing and direct marketing.”

Of course, advisers are aware of the need for discretion and confidentiality when it comes to dealing with clients’ personal information.

As Steven Rhodes, a data protection lawyer at Allegis Group, notes: “Advisers deal with personal details of clients as a matter of course and would regard discussions with a client, and their personal details, as confidential – so does GDPR.

“But, as with most compliance, GDPR requires you to document how you keep confidential matters secure and show your procedures to the regulators (in this case the Information Commissioner’s Office, or the ICO) when they come calling.” 

He confirms that a key tenet of GDPR is the concept of data security “by design and default”.

“It’s the idea that you should develop failsafe systems to ensure client details remain as safe as possible even when your security is breached,” says Mr Rhodes.

And he admits this is possibly the most challenging area for adviser firms to address, adding “your business systems need to work to make sure data protection is a daily concern”.

Where should adviser firms start?

“Look at all the different applications you have on your computers: client database, payroll, telecoms, email. Track where your data comes in, where it’s stored, and where it goes out and then identify the staff member responsible for dealing with this data,” he suggests.

“An encryption system for client data is almost certainly needed unless you operate a paper-only office. Start shopping around for a suitable product. Look for something relatively easy to understand which your staff can operate; and ensure everyone gets the necessary training to be confident with it.”

While putting all this in place may not ultimately prevent a cybersecurity attack, it will limit the damage should an advisory business be the victim of one.

Mr Rhodes says: “Its encryption system will mean that client data cannot be stolen or corrupted, its business systems will have alerted any security breach and its trained staff will know who is responsible for each database and what should be done next.”

He urges businesses to start looking at their internal systems and processes now if they haven’t already and suggests the ICO website is a useful place to start for guidance.

“They have produced a checklist and 12-step programme. It’s where all businesses should start,” he adds.

Keeping clients informed

Communication is a vital part of GDPR. 

“Firms will need to communicate with their clients about it, and update their terms of service and privacy policies on their websites and elsewhere,” Mr Marchese points out. 

“They need to amend their contracts of employment, add new employee policies, and amend their contract terms with third party suppliers.”

Ms Gibson acknowledges: “GDPR will give individuals greater control over their own data, so communicating with clients to keep them informed of how the firm’s procedures will protect their rights, as well as obtaining new explicit consent if required, will also be important. 

“Marketing and sales procedures will require review. For example, marketing teams will need to ensure proper consents have been obtained prior to sending any marketing material.”

Mr Walton urges firms to have a clear record of who they can send marketing communications to but he acknowledges not all communication to clients is marketing.

"Much of the communications they have previously sent to their clients they can continue to do so legitimately, but a clearly well-defined document policy is required to ensure they do not over step the mark," he explains.

Below is an example of an email sent out by RSM to its mailing list, asking for consent to receive communications from them.

Other details not to be missed by adviser firms are outlined by Mr Greenwood.

“Firms will need to be aware of the client’s right to request access to the data held by their firm – under GDPR this is known as a subject access request.  

“Previously firms had 40 days to comply and could charge the client £10. Under GDPR, in almost all cases, it is free and the firm will have one month to comply,” he points out.

“Another area for firms to consider is to ensure that all third parties, including providers/platforms with which they deal are GDPR compliant, and the firm will need to get GDPR due diligence/evidence to support this.”

The devil is in the detail when it comes to the areas adviser firms should be addressing prior to the implementation of GDPR.

But with so much at stake, it is worth putting in the time and effort across all areas of the business.

eleanor.duncan@ft.com