View more on these topics

Are advisers GDPR ready?

Fresh research shows advisers may be underprepared for new rules around data

More than half of advisers are unprepared for the incoming General Data Protection Regulation, Money Marketing can reveal, as fresh research sheds light on how advisers store and use information.

Advisers will have to comply with the GDPR from 25 May. The wide-ranging legislation is the latest in a long line of regulatory changes impacting advisers in recent months, including Mifid II, increased FCA scrutiny on pension transfers, and getting to grips with the upcoming changes outlined in the FCA’s asset management market study.

A number of advisers speaking to Money Marketing say that preparing for the GDPR is proving costly and time-consuming, with many seeking advice from outsourced compliance specialists.

Yet some who have recently made changes to their back office say that this has inadvertently proved beneficial in being ready for GDPR.

With less than a month to go until GDPR is brought in to force, what key concerns remain for advisers?

Protect or regret

Tenet GDPR project assurance officer Joseph Darley says the incoming regulation has caused “fear and confusion” for many advisers. However, Darley says, the reality is many of the changes that will impact financial advisers are just an extension of what is already in the Data Protection Act and the Privacy and Electronic Communications Regulations.

Tenet GDPR project assurance officer Joseph Darley says the incoming regulation has caused “fear and confusion” for many advisers.

However, he says, the reality is that many of the changes that will impact financial advisers are just an extension of what is already in the Data Protection Act and the Privacy and Electronic Communications Regulations.

Some of the key changes for advisers relate to marketing and storage of data. Marketing activity can only take place if clients have given their consent to receive material from an advice firm. The client must opt in and they must be able to withdraw their consent at any time.

The Money Marketing/Taxbriefs guide to the GDPR

Clients can also request to have their data deleted, as well as ask for information about how and why their data is processed, or demand their data be moved to another data controller. Advisers will not need to delete a client’s data where there is a regulatory requirement to hold it or where there is an interest in keeping it against the possibility of a future claim, however.

Rowley Turton financial adviser Scott Gallacher thinks this rule could kick-start a debate over just how long advisers are allowed to hold on to data. Gallacher says: “That is where IFA businesses with a lack of a longstop have a problem, in the sense that ex-clients might want to be forgotten. But from an adviser perspective the last thing you want to do is delete all of the data and have a complaint you can’t defend.”

Despite the new rules being considered an update by some, exclusive data from an Iress survey of 50 advice firms, ranging in size from one to more than 10 advisers, shows that less than half of those surveyed think they are ready for the implementation of GDPR.

With less than a month to go, 30 per cent say they are not ready, while 28 per cent say they are making progress or part of the way to being ready for the legislation.

Threesixty managing director Russell Facer agrees that, just as with Mifid II, firms are at different stages of being ready for GDPR.

Facer says: “Some have engaged and looked into what data they are holding. Some are using it as an opportunity to reassess their service proposition and policy of sharing documents, looking at what data they hold and why they hold it.”

He adds that some advisers have even employed ‘ethical hackers’ to understand what issues their business might have and to see if people can access their systems.

Gallacher says the workload of complying with the GDPR is proving to be a large time-cost for the business. He says it is also coming at a time when his firm is working on other large compliance-related projects, including applying for professional indemnity insurance with a new provider.

Gallacher says: “A lot of it is not only complying, but also to provide evidence that you are complying. The rules do make a lot of sense but the issue is that you then have to have a lot of documentation behind the scenes so if there was ever a query you can demonstrate your business is GDPR ready.”

Rowley Turton has sent new privacy notices to clients who sign up for its printed newsletter, which it sends four times a year, and its weekly email newsletter. On the email side, Gallacher says the firm retained around 35 per cent of clients who had previously signed up to receive the mailing.

Five steps to GDPR compliance

Marketing mishaps

Tenet’s Darley says marketing is one area in which non-compliance with the GDPR will be obvious.

He says: “Marketing to those who have opted out or where you have no valid grounds to make contact is high risk, and should be avoided at all costs.”

Gallacher says that the firm has upgraded to the latest version of its back-office system, Adviser Office, and has also used outsourced compliance to prepare.

Worldwide Financial Planning IFA Nick McBreen says that his firm changed its back-office systems to Intelliflo last year, which has helped with preparing for GDPR.

He says: “We moved to Intelligent Office [so] that has been part of the process anyway. Having done that, along the way the data has been cleaned up. Firms that have been stuck with old legacy customer relationship management systems will have a challenge.”

McBreen says clients have not asked about GDPR but the rules have sparked interesting conversations with professional introducer firms, particularly accountants.

McBreen says: “[Those introducers] are having to create their own portals to secure communication and transfer documents. That is a positive because it makes it easier to communicate and get information between introducers and advisers.”

Time is money

Like Gallacher, McBreen says GDPR comes with a significant time-cost, which will largely be felt by smaller advice firms.

He says: “You’ve got people having to go through data sets to do all the work necessary to make sure they are clean, robust and accurate. I am not sure how you quantify it because it is done over a period of time.

“For smaller firms that is a drag on time and resources, as well as an extra layer of work and responsibility. A lot of work has been done for people in terms of compliance to make sure their systems are robust and up-to-date. Coming on the back of Mifid II, it is a lot of manpower.”

Verve Investment Planning principal Steve Buttercase is taking guidance to make sure his business is interpreting the new rules correctly.

Verve is an appointed representative of The Online Partnership, but Buttercase says being part of a network while preparing for new regulation has both pros and cons.

He says: “The trouble with being part of a network is that you have to delegate responsibility a bit more than you might be comfortable with sometimes. But they have got teams of people looking at it and sorting it out.”


How advisers use technology in their firms has been revealed through new data collected by Iress.

Fifty firms were surveyed by the technology provider, 23 per cent of which had 10 or more advice firm staff using their back office system.

The research found that more than half (52 per cent) of those surveyed do not hold all client details in their back office system, which has a GDPR impact.

Iress executive general manager for wealth Mark Loosmore says there are GDPR risks with data held in potentially less secure places, for example, paper files or cloud-based storage through office laptops.

Loosmore says: “Advisers are using external storage solutions due to a number of factors. For some, there’s an associated cost of storage in the back office or nervousness of committing to a single solution; also some back office solutions make saving data challenging. For others, it’s simply habit.”

The survey also found that 92 per cent of firms do not have integrated planning tools, which can save advisers time on re-entering information. An almost equally high proportion, 82 per cent, say they use provider extranets for quotations.

Loosmore says: “This is not an efficient use of time. It’s yet another set of rekeying, another log on and data process. It disrupts the audit trail of the advice journey.”

According to the research, 46 per cent use their practice management system to manage their compliance.

Loosmore says: “Almost all respondents identified they managed compliance around rather than through their back office. This has a number of implications:  gathering compliance data is costly and time consuming, with a high potential of making mistakes as a result.”

He adds 56 per cent of those surveyed say they can’t reliably produce Gabriel reports from data held in the back office or automatically through it.

A third of those surveyed say their back office does not let them segment clients.



Providers to pay a quarter of advisers’ FSCS bills

Providers will have to contribute 25 per cent of advisers’ Financial Services Compensation Scheme bills, the FCA has ruled today. Despite fierce opposition from some providers, and some advisers arguing that providers should pay up to 50 or 75 per cent in response to the FCA’s consultation, the regulator has decided to go ahead with […]


Pension transfer specialist pulls advice service

O&M Pension Advice will stop offering its pension transfer advisory service from 1 July. The firm, working with its outsourced compliance provider CATS, has now  begun the process of winding down the business and will stop accepting new cases as of today. O&M will continue to produce transfer value analysis reports for advisers using its […]


Pru adviser under fire over transfer value confusion

Prudential must compensate a customer whose transfer value was significantly reduced after a meeting with an in-house adviser. According to a Financial Ombudsman Service decision, the customer, called Mr L, was told on 2 March 2017 that the transfer value for his pension policy was £141,981. He met with a Prudential adviser, who recommended he […]

Help, I’ve been appointed as a trustee. What are my responsibilities?

Graeme Robb, Technical Manager at Prudential looks at the key duties and responsibilities of a trustee.  This article will consider the following: Duties to be performed on appointment Investment duties Protecting the interests of beneficiaries Keeping accounts and records Distributing property to beneficiaries Duties to be performed on appointment Obtain a copy of the trust […]


News and expert analysis straight to your inbox

Sign up


There are 8 comments at the moment, we would love to hear your opinion too.

  1. There is a lot of uncertainty and for us it is in respect of data on children. We have to record dependent children on a fact find for regulatory purposes and the minimum will be name, date of birth, dependency and, regarding special data, disabilities which require taking care of. You are of course advising the parent and if you do not record this information and the fact it has been discussed you can indemnify yourself against advising on an ISA when in fact the need was life assurance!
    Do we need specific parental consent to record essential KYC information. We have been told yes….. I do not see that in guidance from ICO although they do not specifically address the question. (We would never market to children, profile them or pass on their details to anyone as per our procedures unless you are talking children’s investments)

  2. Nicholas Pleasure 4th May 2018 at 9:54 am

    I’m still not quite sure about MiFidII.

  3. Seen too many examples where, just like Mifid II, advisers are burying their heads in the sand and hoping it will all just magically go away. Then on the other end of the scale, advisers panicking about more burden on them and their firms.

  4. They bury the head because the rules are uninterpretable! You cannot apply rugby league rules to a game of rugby union.

  5. Nicholas Pleasure 4th May 2018 at 12:44 pm

    Peter Hargreaves brilliantly stated that ‘regulation is a tax on the honest’.

    MiFIDii and GDPR cost honest businesses thousands but will not prevent the scams and frauds on which the FCA should really be focusing its attention.

  6. Sam in respect to personal data about children, I would say “no” to the extent that you need it for the purposes of any contract with the parent or guardian or legal obligation (which for you means compliance with FSMA and the FCA Handbook and well as defending legal claims).

    There also seems to be an argument that vital interests/legitimate interest could be a lawful basis because if the parent died and you needed to act to ensure the child received the benefits to which they were entitled.

    One thing you do need to bear in mind is that you although you can identify more than one lawful basis at outset, you cannot normally add one later.

    Also, a data subject CAN insist that all data available to be processed solely by virtue of consent is deleted.

    So you need to disclose all the different bases at outset. That way, you retain the data which will defend a complaint.

Leave a comment