The Global Data Protection Regulation comes into force in a little under two months but there seems precious little in the way of detail regarding its impact on financial services.
The FCA and Information Commissioners Office did publish a joint update last month but it did not add very much in terms of information to ensure firms are ready to comply from May.
The simple fact is that GDPR vastly increases the rights of the individual and this will have a profound effect on all businesses. But the rights of the individual extend to you – the adviser – as well.
Many of you reading this will have received an unsolicited call at some point in your career. This may have been from a recruitment consultant, headhunter or a telephone account manager at a national firm.
Some of you will be mildly irritated at being contacted in this way but most are flattered and intrigued as to where the call might lead. However, under GDPR this approach to recruitment will be hit by the law of unintended consequences.
Recruitment processes are largely driven using data stored in a customer relationship management system. This data consists of information usually purchased from companies that hold databases of intermediaries within the UK financial services sector. These databases are an amalgamation of information from various sources, including the FCA register and registration information from websites.
CRM is then used to drive telephone and email marketing activity, where consent to use this data is based on the implied consent obtained by the companies at time of data collection.n.
GDPR means firms are simply no longer able to hold data where there is no clear consent by the individual. Cold-calling or unsolicited email campaigns to individuals from a purchased list is no longer viable. It is not possible to rely on an external agency to obtain the correct consent.
To continue to use this data, firms need to contact each individual prior to 25 May to explain why it is held, where it came from, what firms do with it and to request the individual opts-in to receive communications from the firm. Without consent, the information must be deleted.
Even when there has been communication in the past and where there is a commitment to contact again in the future (an arranged callback, for example) the firm must give the person a further opportunity to withdraw consent should they wish, with consent clearly recorded in CRM. These individuals would then need to be reminded of their ability to withdraw consent every six months.
So, advisers: do not take it personally if the phone stops ringing with the “once in a lifetime opportunity”. Blame the GDPR.
Moving forward, I expect to see a rash of freshly buffed-up adviser profiles on social media sites.
Tim Sargisson is chief executive officer at Sandringham