The General Data Protection Regulation will apply to all companies, not just those in financial services.
But for financial advice firms, GDPR comes hot on the heels of Mifid II and Priips, which were introduced at the start of 2018, and it may seem like yet more regulatory burdens for adviser firms to take on.
This could be why so many adviser firms have much more work to do before the 25 May deadline.
According to research by Intelliflo during mid-February to early-April 2018, 245 users of its Intelligent Office (iO) suite of business management tools completed a survey testing their knowledge about the new regulation and the results reveal around one in five, or just 18 per cent, reached ‘expert’ status, scoring between 90 per cent and 100 per cent.
In a press release from Intelliflo, it details almost three in five, or 58 per cent, who took part reached ‘pro’ status, scoring between 60 per cent and 90 per cent, while just under a quarter were still at the ‘rookie’ stage, with a score anywhere up to 59 per cent.
Rob Walton, chief operating officer at Intelliflo and and chairman of its GDPR working group, points out: "The message about needing to take action to comply with the GDPR is definitely getting through to advisers.
"Last September we found that around 9 per cent weren’t even aware of the new regulation. The knowledge survey shows that around 99 per cent now do know about it and the majority are taking steps to increase their understanding of the regulation, although there’s still plenty of scope for improvement.”
The risks of not complying though are high and for many of us, data is a hugely personal issue so it is easy to understand the importance of protecting clients’ data.
David Marchese, consultant at Gordon Dadds, highlights: “The key point for financial adviser firms is that data protection is a key risk area – get it wrong, and you could expose your firm to considerable penalties, as well as loss of reputation in the market.”
He acknowledges the raft of changes that may need to take place within an adviser firm in order to comply with the new data protection regulation.
“It requires changes in technological and organisational systems, and in the design of new products and services. And yes, it requires employee training, just as in any other regulatory area,” Mr Marchese confirms.
He continues: “Then they also need to check their technology contracts, particularly where they use cloud-based software services.
“And while they should already have examined the basis on which they interact with US and other non-EU entities, they need to do so especially for the GDPR.”
That is a long to-do list.