Disclaimer: The contents of this article concern the possible impact of the GDPR on financial websites, such as those belonging to IFAs, wealth managers and finance companies. The below should not be regarded as legal advice. If you want advice on the legal information here, please contact a qualified legal professional.
In all likelihood, as a financial adviser you will have heard of the GDPR (General Data Privacy Regulation). It affects how businesses will be able to communicate with and build audiences, as well as the obtaining, storing and processing of personal information.
Britain may well be leaving the EU, but that doesn’t make the European GDPR irrelevant. With talk of transitional arrangements during Brexit, it will still have a big impact on IFAs and financial firms based and operating in the UK. Indeed, the GDPR is set to apply to entites outside of the EU as well.
So, do you feel that your financial website and marketing are prepared for the GDPR, which comes into effect in May 2018? In all likelihood, the answer is “not very” or possibly “not at all.” But that need not necessarily be so. Let’s go over some of the key facts surrounding GDPR below.
Europeans Overwhelmingly Want The GDPR
In the EU, any laws or regulations relating to data protection tend to be well received. This is no less true for the GDPR. Indeed, many cybersecurity experts, such as Jodi Daniels, point out the positive brand equity that GDPR holds out to financial firms.
In other words, by showing your clients that you are aware of the GDPR and complying with it ahead of time, you send the message that you care about your clients’ personal data and security. This could give your financial website a big competitive advantage over other firms, who are not being as stringent.
With consumers increasingly looking for transparency in companies, preparing your IFA firm for the GDPR is likely to be a savvy course of action. With the media frequently publicising data breaches involving prominent companies (e.g. Equifax and Uber), consumers are especially wary and want to be reassured that their information will be treated with the utmost care, respect and confidentiality.
With this all said, what are financial businesses currently doing to address the upcoming GDPR?
Not That Much, To Be Honest
To start with a sobering statistic, only around half of marketers and business leaders appear to be aware of the GDPR. Given this picture, it’s overwhelmingly likely that even fewer are preparing for it.
Some IFAs and financial firms are setting a good example by updating their contracts, as well as any policies relating to personal data protection. However, one possible indirect effect of the GDPR could be that financial marketers’ email lists start to shrink. In this respect, many IFAs seem to be under-prepared and unaware.
Why might the GDPR have this impact? The “right to erasure“. This particular aspect of the GDPR will allow individuals to request that their personal details be erased from such lists. IFAs and wealth managers therefore need to be mindful that this will impact their data storage and processing systems.
The other big consideration of the right to erasure, however, is how this will affect the capture and collection of personal data. Cold sales calls and the practice of buying email lists, for instance, are likely to be marketing channels that become increasingly constricted for IFAs.
As a result, financial websites will need to increasingly promote “opt ins” for their contact forms and email subscriber lists.
How Financial Websites Can Get “GDPR-Ready”
Ultimately, it is down to each financial advisory firm to discern and implement the appropriate procedures to protect personal data in light of the GDPR.
However, here are some important questions to ask yourself, to help you prepare for the big change coming in May 2018:
-Which kind of personal data do we store on our systems? What kind of data is collected by our financial website, and how is it processed?
-Does our business collect personal data in a fair and ethical manner?
-Do we have appropriate consent measures in place, and do we adequately inform consumers and clients about how their data will be used? Are they told in clear and no uncertain terms that they can withdraw their personal data at any point they so wish?
-Are we keeping personal data adequately up to date, and are we keeping it for longer than is necessary?
-Are we implementing the maximum security measures to ensure the safety and security of clients’ and prospects’ personal data? Are we using encryption and pseudo-names?
-Will any personal data we stored or communicated outside the EU? If so, are appropriate and adequate security measures in places to protect this data?