Some recently issued industry research shows that some advisers may be underprepared for the forthcoming new GDPR rules around personal data.
Despite the new rules being considered not much more than an update by some, a survey by software firm Iress of fifty advice firms, ranging in size from one to more than ten advisers, shows that less than half of those surveyed thought they are ready for the implementation of the GDPR on May 25th. With less than a month to go, 30 per cent said they were not ready, while 28 per cent said they were making progress or were part of the way to being ready for the legislation.
Some of the key changes for advisers relate to marketing and to the storage of data. Marketing activity, whether to individuals or other firms, can only take place if the recipients have given their informed consent to receive material from an advice firm. The client must opt-in and must be able to withdraw their consent at any time. In addition, the Privacy and Electronic Communications Regulations (PECRs) apply to all marketing via electronic means and to the use of cookies.
Clients can also request to have their data deleted, via “the right to be forgotten”, and can ask for information, free of charge via a Subject Access Request, about how and why their personal data is processed or can demand that their data be moved to another data controller. Advisers will not need to delete a client’s data where there is a regulatory requirement to hold it, such as the five-year FCA retention rule for MiFID business, or where there is an interest in keeping it against the possibility of a future claim.
Full details of the Information Commissioner’s work in helping firms to be ready for the GDPR are here.