As the number of “GDPR (General Data Protection Regulations) compliant” privacy notices in my inbox long since ticked into 3 figures, all received in the week before 25th May, it has struck me how terrifying new regulation can be and how misunderstood are the rules and reasons for the new regulation.
Amusingly, many of these emails are unnecessary. If there is an ongoing contractual relationship these formalities can be completed at next review or renewal. For many people, it will offer a welcome opportunity to slim down the number of messages that are received.
Many message originators missed an important point of the new rules. The new rules stress that consent now needs to be a positive opt in. Therefore, all those originators who advised that recipients need to do nothing to continue receiving messages may find themselves to have problems in the future. They have not obtained positive opt in and therefore this is not compliant.
Personal data has become the new battlefield
I believe that Google and Facebook have already been reported for breaches of the GDPR to the Information Commissioners’ Office (ICO), which is the regulator in this respect. It will be interesting to see the outcomes of these. ICO does not have the resources to chase around smaller data controllers for breaches, but companies the size of Google and Facebook would be high profile scalps.
The reason for the regulation is consumer protection as is the reason for all the other pieces of regulation that have hit financial services in recent years. It is a sad indictment of our industry that different sizes of sledgehammer need to be introduced simply to get people to Treat Customers Fairly.
Personal data has become the new battlefield. Whether it is to steal money or rig elections, more damage can be done online nowadays than setting fire to the Houses of Parliament.
The retention and use of that data is important to all organisations of any size. Data is a very valuable commodity and many businesses are valued on the basis of their data, their client bank, the information it holds, the buying power of the clientele.
The right to be forgotten is hailed as a valuable facility now available to the public. To have their records deleted. However, it is likely to have minimal effect within financial services. Regulation over-rides the right of the individual. Most advisory firms will want to retain records as a defence against future claims and for many products, the retention of records would be reasonable for the term of the contract- eg 25-year life over – and then some years after the contract is finished. For pension transfer business, the retention period is indefinite. These are legal reasons for holding the data. The best that a client can expect is that the adviser will not market to them in future.
Thinking of record retention, one of my client firms has now started to allow colour copies of official documents to be retained. This was always a peculiarity of the rules. I had never known anybody get into trouble for holding colour copies. Certainly, I always considered this idea needed to be filed under compliance b******s and the sort of thing that made compliance look impractical and silly.
So, the next set of regulation coming up is IDD(Insurance Distribution Directive). This simply appears to bring the unregulated advisers, protection and mortgage advisers, more into line with registered individuals. This involves the production of illustrations and demands and needs or suitability letters. Most advisers have already been doing this.
The major pinch point of IDD is the introduction of a training & competence regime for these advisers which will involve the need to 15 hours of training per year. Again, most adviser are doing far more than this. This is a miniscule amount anyway.
15 hours per year + 1hour 15 minutes per month = 15 minutes per week on a 5-week month or up to 18minutes 45 seconds per week on a 4-week month = 3 minutes or 3 minutes 45 seconds per day. It would take masterful inactivity not to achieve this level of research, reading or even structured training. Anybody complaining about doing this level of training is either lazy, or incredibly complacent believing that they have no need to learn or keep up to date.