The General Data Protection Regulation protects the data of individuals across the EU.
As an independent financial adviser, GDPR is a major issue that you need to be on top of. The EU’s new general data protection regulation came into effect on 25th May 2018. Financial advisers should understand how the GDPR affects their dealings with financial advice clients and business as a whole.
The penalties for not complying with GDPR are not to be taken lightly. This is especially true for the financial advice sector, which many expect will be under particular scrutiny. Fines of up to £20m or 4% of annual turnover (whichever is highest) are granted for serious breaches or non-compliance.
The above penalties demonstrate the severity of noncompliance. Part of how to be a good financial planner involves making sure that you know all about regulations such as GDPR to protect both you and your clients.
The GDPR is a revision of previous data protection legislation, and the main changes are in the following areas:
Increased scope to apply to any data held of EU residents, regardless of your location.
Tighter consent laws that mean people must give explicit permission regarding their data.
The requirement to notify authorities of any breaches.
Right to access for data subjects.
Greater need for privacy within any systems or databases used.
Naturally, as a financial advisor, this can affect how you work and how you need to work in a number of ways.
How does GDPR affect financial advisors?
Much of the impact on you as a financial adviser will revolve around the personal data that you hold on clients in the areas listed above. This will include:
Making sure that you have all the paperwork correct – the greater emphasis on clients giving specific consent to hold any personal data on them means that you must make sure that you get it in writing. Failure to do so could prove very costly if the breach is reported. Implied consent will now not be allowed when the new laws come into place.
Updates to existing software – If you use any kind of database or CRM system to store clients’ data, this needs to be secure in compliance with the GDPR. The privacy of these systems must be robust, which means investment in infrastructure and resource.
Constant attention to GDPR – while you will naturally have been working with data protection laws in mind already because the GDPR is relatively new, most financial advice firms will need to regularly check that they are compliant. This is vital so that any breaches can be spotted and reported to the authorities.
Under the GDPR, financial advisers have more responsibilities, such as ensuring that they notify both the regulator and, in most instances, the affected individuals within 72 hours of a cyber attack that has breached the latter’s data.
Breaches will also have to be made public, increasing the risk of reputational damage.
Advisers must follow new entitlements for current and former clients, including access requests (offering access to the data held on these clients) and portability requests (handing over all data to a new company if a client decides to leave for a competitor).
When emailing prospective and existing clients, financial advisers must obtain a double opt-in from them. Clients cannot only click to say that they’re happy to receive communications as they used to be able to. They will have to explicitly agree to opt-in to receive marketing communications, and this opt-in must be recorded and stored.
If you cannot prove that an unhappy receiver of your marketing emails has opted-in for your communications, then you could face an eye-watering fine, even if you have just one non-compliant record.
The GDPR is a vital consideration for you as a financial advisor, whether it is the systems that you use to store clients’ data or keeping an eye on any breaches. With the high sanctions in place for failure to do so, ignoring GDPR really is a risk not worth taking.