Intelliflo GDPR Group outlines how firms should tackle consent and privacy notices

The paper maps out how UK financial advice firms can comply with privacy notice rules around connected individuals, as well as how firms can create their privacy notices, where they should be stored and to whom they should be submitted.

In its third meeting, the Group noted that some of the data about clients and prospective clients may be classed as ‘special category’ under the GDPR.

It says the key issue arises from data being provided by clients or prospective clients about family members, such as partners or children. Given that firms will be required to obtain consent from all the people whose data is being gathered, this raises a potentially awkward situation for financial advisers, as they won’t be obtaining information direct from data subjects themselves.

In such instances, the Working Group says advice firms should issue such connected individuals with a copy of the firm’s privacy notice, where it does not constitute a disproportionate effort to do so.

The third Working Group paper also outlines exactly what advice firms need to do to create GDPR compliant privacy notices.

Rob Walton, Chairman of the GDPR Working Group and chief operating officer at Intelliflo, commented: “As we witnessed during our Working Group meeting, the topic of connected individuals is a potentially troublesome one for financial advice firms. In keeping with the spirit of the GDPR, however, firms can put themselves in a stronger position by communicating the rights of the individual with whom they have not met, directly with them via the submission of a privacy notice.

“Firms will also need to establish an internal policy framework for instances where it could be reasonably defined as representing a disproportionate effort on the part of the firm to issue the individual with a copy of the firm’s privacy notice. This is one of the big risks that firms are facing under the GDPR framework – processing data on data subjects who are not fully aware of how or why their data is being processed could lead to a complaint in the future. Such a scenario could quite easily occur where a couple end up getting a divorce and previously unknown data held by the firm, about one of the parties, comes to light.

“Articles 13 and 14 of the regulation are very instructive and clear for firms when creating their privacy notices. By working through these articles in the GDPR, there is no ambiguity in the process – this is something that was examined in detail by the Working Group and has been documented in the latest paper, providing significant help to advice firms getting their processes ready for the 25 May deadline.”