Only one third of advisory firms have made plans for the introduction of the General Data Protection Regulation (GDPR), according to a new survey.
The data protection watchdog, the Information Commissioner’s Office, has described the new Regulation as “the biggest change to data protection law for a generation”.
Nevertheless, a study by financial software provider Intelliflo found that of the 270 firms surveyed, 67% had no plan for implementing GDPR. 31% had little understanding of how the GDPR requirements are different from existing data protection legislation, and 9% of respondents were unaware that the Regulation even existed.
The GDPR comes into force on May 25 2018 and will affect all firms across all business sectors. Although the Regulation is a piece of EU legislation, Brexit will not affect its implementation in the UK.
Rob Walton, chief operating officer of Intelliflo, said:
“Although May might seem like a long way off, it’s actually very little time for advisers to start preparing for the enforcement date of GDPR.
“It’s not the case that if you are compliant with the current Data Protection Act, then there’s little to worry about.
“The new regulation is far more detailed, with new obligations and requirements and it’s essential that advisers can demonstrate that they have taken action to ensure they are fully meeting these.
“Personal data is the very essence of financial advice therefore GDPR could have a significant impact on most, if not all, firms.
“Our survey throws up some worrying results and I urge advisers to act now to get a firm grasp on what it means for them and their businesses.”
Some of the key elements of GDPR include:
• Privacy notices must clearly explain to clients what a firm’s legal basis for processing data is, together with how long the firm will retain the data for. Clients must also be informed that they have a right to complain to the ICO. 89% of respondents to the Intelliflo survey admitted that they still retained data that related to clients whom they had not dealt with for a number of years
• Firms will have just one a month to comply with a subject access request, and in most circumstances won’t be able to charge clients for providing the information
• Where firms introduce new technology, or where processing is likely to significantly affect individuals, they may be required to carry out a Privacy Impact Assessment, considering the impact the change would have on the data protection rights of clients
Firms that fail to comply with GDPR requirements can be fined up to 4% of annual turnover or €20 million, whichever is higher. Firms are therefore urged to read the information on the ICO website about the detailed GDPR requirements, and to seek advice from their compliance consultant.
The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article.