Blog / Regulation

Last week I sat on the panel of our joint webinar with Professional Adviser, ‘Why GDPR is more opportunity than chore’. During the debate the other panelists and I discussed the answers to the following key questions:

1. What is GDPR and why has it been introduced?

GDPR, the General Data Protection Regulation, is a piece of EU regulation. It will replace the existing Data Protection Act when it is enacted in the UK on the 25th May 2018. The GDPR provides a suite of rules that govern the ways in which businesses, of all types and sizes, must manage and protect the personal data that they collect, and use, in the course of running their business. These regulations are not Financial Services specific; they apply across all industries and all types of organisations. 


The GDPR has been introduced in response to the far-reaching changes in technology that have taken place over the last couple of decades, i.e. since the DPA was introduced. As a society we’ve become accustomed to using all kinds of new technologies and we are using all sorts of different devices in our daily lives to an extent that most people would have simply never dreamt of twenty years ago. For example, smartphones did not exist ten years ago and yet now it’s hard for many of us to imagine life without them! And, as a consequence, there’s far more personal data being collected, stored, processed and transmitted in new and different ways by many more organisations; which is why the new GDPR regulations have been introduced, i.e. to increase the level of protection afforded to consumers and to minimise the number of scams caused by the abuse of personal data. 


Of course, being a piece of EU regulation you might wonder what happens post-BREXIT, i.e. will the need to comply disappear almost as soon as it has been introduced? The short answer is no as the UK Government has already confirmed that BREXIT will not affect the commencement of GDPR.

2. What is the difference between GDPR and the existing data protection act?

There are a number of key differences but fundamentally, GDPR increases the level of protection afforded to consumers which surely has to be a good thing. Of course there are lots of detailed differences but the key ones are:


  • The levels of fines that can be applied for non-compliance and data breaches. Currently the maximum fine that can be applied in the UK is £500,000. Clearly this isn’t a small amount of money but it does pale into insignificance compared to the GDPR maximum fine of €20,000,000 or 4% of global turnover whichever is the greater. So, if you are the size of say, Facebook you could be looking at a maximum fine of approaching $1 billion.
  • The fact that GDPR imposes a responsibility on organisations not just to comply but to be able to demonstrate that they comply, i.e. businesses will have to create policies and procedures for their employees to follow and have mechanisms in place to check that they are actually following them.
  • Data breaches have to be reported to the authorities, and potentially customers as well, within 72 hours of realising that a breach has occurred. This is a considerably shorter notification period than exists under the DPA today.
  • The scope of personal data covered by GDPR is also much broader. For example, it can include client records kept on card / paper if they are stored in a structured way.
  • All businesses capturing personal data from clients, or prospects, must have a valid legal basis to collect and process that data.

3. Which areas of GDPR are the most important for an adviser business to consider?

Making sure that all client data is stored in a safe secure manner
If you’re using a Back Office system then you should ensure that all client data is stored in a safe, secure way. If you are using a hosted solution like XPLAN then all of this will be taken care of for you. If you are one of those firms that still has some paper / card-based client records then I would strongly suggest you need to act pretty quickly. It really isn’t going to look good if, for any reason, those records were destroyed in say, a fire or a flood; I think you will have a very hard job explaining that loss of data to firstly, the authorities and secondly, to your clients! In today’s world there is no reason why an adviser business shouldn’t have all of their client records safely stored and encrypted in a well-protected Data Centre.


Making sure that you can continue to service your existing clients
It’s not just checking that you have the right consents from your clients to continue sending them information and being able to satisfy any data access requests it’s also about checking out your supply chains. Specifically, if you are passing personal client data to any third parties then you need to have done your Due Diligence on them and ensured that they are contracted to swiftly inform you of any data breaches.


Making sure that you can market your services to prospective clients
Many adviser firms will have captured significant amounts of prospect data over recent years all of which will become useless after the 25th May 2018 if they don’t do something with it. Adviser firms either need to get on with using that prospect data and getting the consents required to continue canvassing them. And, of course, adviser firms should also ensure that they have updated their processes and procedures for capturing new prospect data.

4. What are the keys areas around GDPR that will most affect your average client?

By far the most significant (visible) aspect of GDPR for consumers will be the provision of consents, i.e. adviser firms will need to ask their clients to provide specific consent to continue receiving certain types of communication. Of course adviser firms won’t be the only organisations seeking such consents; there will be all kinds of business bombarding consumers for updated consents over the coming months. So, the challenge for adviser firms will be to make sure that their consent requests don’t get lost in the wave of emails and letters that could be aimed at their clients over the next five months.


Beyond that, unless clients have any issues around their personal data, then the impact on them won’t be that noticeable. In fact, you might argue that the whole point of GDPR is to ensure that they don’t have to experience problems with their personal data. However, if they do have an issue or, they simply want to see their data or, have it transferred elsewhere, then they will have the right to do so. And, adviser firms will have to comply with these requests more quickly (within a month) and do so without charging!

5. If an adviser business hasn’t got a plan in place what should their top 3 priorities be before the deadline to get going?

I guess the obvious first step is to understand the regulations and create a plan! But, being more specific I think the three areas that adviser firms should concentrate on are:


  • Firstly, making sure that they understand what personal data they really need to capture, who they pass that data to, how they process it and so forth. 
  • Secondly, they should make sure they have written policies and procedures in place for their employees to follow around the use of data and what happens should a problem arise. Not only will this help avoid any data breaches in the first place but it will also mitigate against any fines should a breach occur. 
  • Third, they should start collecting specific consents from clients, and prospects, as soon as possible so that they can continue marketing their services to these people after the 25th May 2018. This process will take longer than they might expect as consumer inboxes could get quite clogged-up with emails from other organisations trying to do the same thing. So, get in quick before the rush starts.

6. How important is it to have the right technology in place and how can it help?

It’s hard to imagine how an adviser business of any scale will be able to comply with the GDPR without some kind of technology solution. I would expect that all adviser technology systems will enable their users to comply with GDPR but, as is always the case, some systems will do it better than others. Over the last 12 months we in IRESS have been working on enhancing our systems to make it as easy as possible for adviser firms to meet their GDPR obligations. For example, our systems can capture all types and levels of consumer consent, they can enable adviser firms to satisfy data access and data portability requests and so forth. So choosing the right system will certainly make life easier.

7. Is GDPR more opportunity than chore for financial advisers?

As a society we are increasingly running our lives online and the sharing of personal data is becoming ever-more prevalent; it will become the oil that makes the engine of the economy work. As such, ensuring that personal data is stored, shared and used in a responsible, secure and compliant manner will become a hygiene factor. Any business that has a reputation for not being competent and trustworthy when it comes to holding personal data simply won’t exist for too long. So, the opportunity of GDPR is to make sure adviser businesses are doing all of the things needed to build the right reputation. Treating compliance as a chore effectively means that adviser businesses don’t care about their clients’ data and they will soon find that this means that their clients will not care about them either.

8. What is IRESS doing to help its’ customers comply with the GDPR?

As you would expect IRESS has already been doing a great deal to help our customers comply with the new regulations when they come into for next May. Not only have we spent many hours reading around the new regulations and discussing their impact with industry practitioners and commentators we have also gathered together a focus group of users of our software to discuss and agree how best to enhance the software. We are now in the process of developing the changes required; in fact some have already been released.


Find out more on our GDPR readiness >

9. Where can adviser firms get more information on GDPR?

The Information Commissioners Office (ICO) has published a useful guide which can be found on their website.

Why GDPR is more opportunity than chore

Watch the full webinar here and see what our expert panel think adviser firms should be thinking about ahead of the GDPR deadline.

IRESS is a supplier of software products and solutions for the financial services market. Whilst we seek to understand relevant changes to the regulations that will affect our clients businesses we do not purport to offer definitive advice or guidance as regards the meaning or interpretation of any new regulations.  As such, any views and / or statements made within our website should not be relied upon and your own particular position should be checked with your Compliance Officer and / or Compliance Service provider.


More insight & research

This site uses cookies to store information on your computer. By using our site you accept the terms of our cookies policy. Accept