Hello and welcome to your next piece of EU legislation.
Those of you who read my MiFID II white paper and who saw me present on the subject will know I didn’t enjoy it all that much. There are two issues emerging from that directive: the disclosure of previously hidden transaction costs on funds which have been hitting the headlines recently, and the more formal ongoing disclosure of the past 12 months' advice charges and all other costs, which has another year or so before it causes a stink.
The General Data Protection Regulation (GDPR to its friends) is different, and altogether better. Let me explain why.
Firstly, rather than ending up on the wrong side of this legislation, with all the work and no benefit, you’re a consumer who will benefit as well. Unless you’re a fan of unsolicited email, identity theft and pressure sales techniques, you will be better off after 25 May 2018 than you were beforehand.
Secondly, and this is mostly an exercise in schadenfreude, every business in Europe has to comply. This isn't about the victimisation of the adviser community. Few other industries or professions are as well equipped as you to cope with yet another set of rule changes. Cherish the look on the bemused faces of friends, family and introducers as you threaten to report them to the Information Commissioner’s Office (ICO).
Thirdly, the rules are well written and there is a huge amount of information available on them. The ICO’s website is very helpful and includes some practical guidance. Not every question is answered, but unlike MiFID II there is a lot of clarity around what to do.
This isn’t a piece of regulation that’s going to get regulated. The ICO is not going to audit you, or undertake any telephone interviews. You could ignore the whole thing, cross your fingers and never be found out. However, the size of the fine which can be handed out from 25 May 2018 - up to 4 per cent of turnover for serious violations or 2 per cent for lesser ones - have been eye-catching. You could argue fear of a successful complaint to the Financial Ombudsman Service motivates more advisers than fear of the FCA nowadays, and for data protection the size of fines has been steadily increasing for years, as the table below shows:
The increase in ICO penalties pre-GDPR
|Year||Number of fines||Total amount of fines|
A few big names will no doubt be handed out a few big fines. But for a small business, if you can show you made a genuine effort to be compliant with the GDPR there is unlikely to be a heavy fine even if there is a breach. The small amount of pain involved in being compliant is worth it.
For firms with under 250 employees fewer written processes are required but as an advice firm processing ‘special category’ data – that’s higher risk personal information on areas such as health – those exemptions don’t apply.
It's worth remembering this isn’t just about client information. The personnel records you hold on employees and self-employed advisers will also be covered. My bet is a significant number of complaints to the ICO about advice firms will be from disgruntled former employees.
I was asked recently what the most complex issue about the GDPR is. Unlike much of financial services regulation which requires review and change to advice processes, the GDPR requires you to also understand what’s going on in payroll and HR, your IT department, your marketing and your back-office admin. You may well outsource some of this, as it’s specialised work and the people you outsource to might not be up to speed. It’s an opportunity to understand and reappraise these areas, thought that may be time-consuming and you might encounter resistance. Planning for this and factoring in the time to do it is going to be very important.
The upcoming white paper I’ve written with Nucleus is designed to give you as much theory as I think the average firm needs. There can always be more. It has lots of practical examples which might not occur to you, for example when purchasing a client bank, and includes an action plan to give you a basic framework for approaching the subject. Nucleus is also hosting a series of GDPR masterclasses next month where we will work our way through how you might approach issues such as drafting a data retention policy.
Researching what goes on in the world of online marketing and advertising has convinced me we really do need these new regulations. The current rules are based on regulations drafted in the mid-1990s when the internet was in its infancy.
We all deserve more transparency about what goes on with our personal information. That means treating the data you hold about people with the respect you would like others to treat your own.To download the Nucleus white paper GDPR: A guide for financial advisers, prepared in partnership with Phil Young of Zero Support, click here