An article in FT Adviser suggests that, for financial advice firms, it might be.
Probably not what businesses still reeling from MiFID II, which came into force this week, want to hear.
But the General Data Protection Regulation – which becomes effective from May this year – is the next challenge facing Compliance teams, and shouldn’t be forgotten in the flurry of MiFID II preparations.
How will GDPR affect financial advisers?
The FT Adviser article believes that ‘The effect of the regulation on advice firms will be substantial, given the amount of information such businesses hold on customers past and present.’
One company advising firms on how to tackle GDPR believes that advisers may be unaware of the scale of the task they face.
Rob Walton, chief operating officer at Intelliflo, is quoted in the article as saying that his firm has only had ‘a few interactions’ with advisers about the pending regulation in recent months, suggesting many are unaware of the task ahead.
What will GDPR mean in practical terms?
The regulation focuses on protecting personal data. The definition of data included is expanded to cover – for example – business email addresses; previously, ‘professional’ contact details weren’t subject to as strict regulation as personal ones.
The rules around collecting, storing and using personal data become more stringent under GDPR. Firms will need to evidence that they have adequate processes, including data protection policies, impact assessments and relevant documents showing the data is processed.
‘Consent’ is a big issue under GDPR – firms will need to prove that they have the required permission to use individuals’ data. The acquiring of consent will be more stringently policed – a pre-ticked opt-in box (as is permitted currently) won’t be sufficient, for example.
But consent is not the only basis for using data; there are other lawful reasons why a firm can use personal data. Firms need to have an understanding of all of these bases to ensure they are collecting and using data in a compliant way.
Four key GDPR issues facing advisers
The article picks out four specific issues that advisers need to tackle around the new regulation:
- Companies must ensure the data they hold is accurate and up to date. This is particularly relevant for advisers in relation to financial plans and valuations.
- Organisations must have the subject’s consent to process their data. This could potentially have implications for client correspondence.
- Firms have to be able to evidence their compliance with the rules. The FCA has said it will look for ‘privacy and security by design’.
- Individuals can ask businesses to delete them from their records – but this isn’t always applicable to advice firms.
The storage of data is predicted to create particular problems for advisers. Data needs to be stored and shared in a secure way under the new rules. Currently, much of the communication between advisers and their clients is via email – a medium that doesn’t necessarily meet the security criteria.
What happens to firms that don’t comply?
Any firm that falls short of the regulation’s requirements faces some potentially significant penalties. The ICO can impose fines of up to €20m (£18m), or 4% of the firm’s worldwide turnover
What should firms do now?
If you don’t feel prepared for GDPR, start by reading our 10 things you need to know and do now about GDPR. This will give you a briefing on the new regulation and the immediate actions you should take to prepare.
Will the regulation be a bigger challenge for advisers than MiFID II? Time will tell. What is irrefutable is that it will be a significant challenge – and should be a major focus for advisers in the first few months of 2018.
Faced with MiFID II, the GDPR and a raft of other new regulations, you’re facing a challenging time in 2018.
How can we help?
At LS Consultancy, we offer a complete solution with a range of cost effective, regulatory compliance and marketing products and solutions including copy advice that are uniquely suited to supporting firms.