Baker, who is leading the international adviser’s efforts to comply with General Data Protection Regulation (GDPR) and sits on an Intelliflo data working group for advisers, said data compliance could prove too much for some.
As well as tightening the rules around the holding and processing of data, the new regime require companies to evidence this work or face steep fines, when it comes into effect in May.
Well-placed
“Mazars is well placed for GDPR with a project plan in place and resource allocated to move things forward. However, the amount of work is still significant and May is not that far in the future,” Baker told International Adviser.
“GDPR presents a significant challenge to financial advice firms at a time when many are getting to grips with the requirements and costs of Mifid II and the IDD. It is likely to be particularly burdensome for smaller firms who do not have the ability to dedicate time and resources to its implementation.
“Due to the large amount of historic data that firms hold, often on multiple systems, it is important that firms plan early and have a clear idea of when they can and can’t continue to hold data.
“Going forward, simply holding data without good justifications will no longer be acceptable, so well thought through policies are essential. In many cases, the challenge of sorting through historic data will be significant both in time and cost, however the cost of compliance is likely to be minimal when considered in the light of the potential fines that can be levied.”
Skyrocketing fines
Breaches of some provisions by businesses, which law makers have deemed most important for data protection, such as the sensitive data held by financial advisers, could lead to fines of up to €20m (£17.5m $23.6m) or 4% of global annual turnover for the preceding financial year, whichever is the greater.
In practice, the NCC Group, which is also working with advisers on the Intelliflo Group, found this could see ‘fines skyrocket’ in 2018.
Research from the cyber security and risk mitigation company has found that fines from the Information Commissioners Office against companies in 2016 would have skyrocketed to £69m from £880,500 if GDPR had been in force.
The fines from 2015 would also have risen drastically from £1m to £35m.