The European Union’s General Data Protection Regulation (GDPR) applies to individuals within member countries, having been adopted on 27 April 2016.
It becomes enforceable from 25 May 2018 after a two-year transition period and, unlike a directive, it does not require national governments to pass any enabling legislation.
The UK Government has affirmed it will also apply in the event of Brexit.
“The GDPR will have a far-reaching impact across the financial services sector and beyond, including those advisers who market to clients and prospects,” said Skip Fidura, client services director at online marketing company Dotmailer.
“Make no mistake: the GDPR will force changes in how advisers market, but it is not intended to curtail their ability to market. The regulation is not restricted to marketing though – it covers the processing of any personal data, so arming yourself with the right information is absolutely key when it comes to marketing your services as an adviser.”
Two tier sanctions
Fines for a compliance failure after 25 May 2018 are either €20m (£17.7m $23.9m) or 4% of company turnover in the higher tier and €10m or 2% in the second tier sanctions, said Fidura.
Under GDPR it is up to the adviser to prove they are compliant. For example, they may have to keep partial data of former prospects who have requested their data held by the adviser is deleted – to prove the data has been deleted.
To become compliant an adviser needs to complete an audit of all the data they might hold, where it is held, how it is held, how it flows between systems and who has access to it.
The next step is to undertake a ‘Privacy Impact Assessment’ on that data, which will help determine on which legal bases the information is held.
Updating data to new standard
The two bases, under GDPR, most likely to apply to adviser marketing, are with the consent of the data subject and the legitimate interest of the data controller.
The adviser will then need to action their findings and bring the data up to the new standards, for example, by ensuring clear and unambiguous consent, important in the case of sensitive information, or a legitimate interest in holding the data.
This step could involve upgrading their existing permissions, deleting data or updating data.
Firms can find further information from the Information Commissioners Office in the UK and the Direct Marketers Association.