The GDPR and UK Financial Advisers: Consent, Erasure & Accuracy

GDPR general data protection regulation 2018 eu presentation kit

General Data Protection Regulation (GDPR) Data Subject Consent is essentially targeted at giving data subjects more control over use of their data – for example in connection with marketing activities, which (in the absence of consent) could not otherwise be legally warranted by a data controller.

Giving a data subject the option to give or refuse consent protects individuals from unwanted and unjustified communication from service providers and is highly aimed at the business-to-consumer world. It will affect advisers given that it will dictate how they can approach new business opportunities from new or existing clients.

If an email, SMS message or phone call is sent or made to an individual and that individual follows it up with a request to understand where they gave permission for such correspondence, then it is the obligation of the firm to be able to prove the individual in question has indeed consented to receiving such correspondence. If the firm cannot provide this evidence, then this constitutes a breach.

GDPR and financial advisers: The Right Of Erasuregdpr uk financial services fca
While this does have an effect on correspondence with clients, it only affects certain types. The other relevant condition for advisers to be aware of here is the ‘necessary for the performance of the contract’ condition.

A client may well opt out of marketing communications, such as a firm’s newsletter, but the firm would still have to send them correspondence on things like portfolio updates and contracts as such correspondence is essential for the performance of the contract between the data subject and the firm. What would the data subject be expecting to receive from the firm?

The opt-in process for obtaining valid consent under the incoming General Data Protection Regulation (GDPR) will be quite onerous for firms marketing to individuals. It is therefore a good idea to get into started early and consider how the firm will market to prospects post-GDPR.
You can obtain a full GDPR presentation along with two question packs at

GDPR and financial advisers: Data Accuracy
Simple steps could be taken now, for instance, updating the privacy policy to make sure that the firm has made some inroads towards compliance. In marketing materials that are submitted now, it deserves including the double “opt-in” option in such correspondence. Provided the guidelines for obtaining valid consent under the GDPR are met, if people opt in now, then the firm will have the ability to correspond with them after 25 May 2018.

If consent from an individual is sought, they must respond to be considered to have opted in. Their silence or inaction are not indicative of consent. Similarly, where someone has opted into correspondence at an event, in person, the firm should consider a mechanism to follow up to gain their unequivocal written consent as a form of best practice.

This applies to of electronic opt-ins too and is called ‘double opt-in’. This is to avoid circumstances whereby an individual’s details may have been shared under false pretences, or by mistake. A face-to-face meeting does not constitute an explicit response. Compliance Consultant (http://www.complianceconsultant) can help you through this.

fca operational risk management rules mapping handbookConcerns Raised
How would you know if someone had given consent to be marketed to and, beyond that, how are they going to get clients to say yes in the future.

The topic of consent, is one of the few black and white areas of GDPR with draft guidance. If the person being marketed to – that is to say, being contacted outside the bounds of the performance of a contract – has not explicitly and unambiguously agreed to be contacted, then this would constitute a breach of the GDPR.

Clients can not be deceived at all. Having a pre-ticked box below an online form, for example, does not constitute consent. The user must be made aware of what their contact details will be used for, how their data will be processed and have the opportunity to make their own choice about whether or not they receive communication from the firm.

When it comes to legacy clients, where a firm may wish to contact them to notify them about new products and services, then it was agreed the firm would will need to seek their permission to do so.

This will have to be done in advance of GDPR entering force, since any correspondence after 25 May 2018 in this fashion will constitute a breach, since those individuals will not have consented to be contacted at all. If firms have not begun to seek consent – or fresh consent in order to meet the higher threshold under the GDPR – from existing contacts within their database, then they should seek to do so now.

If these individuals do not respond to requests, it is to be believed they do not wish to be contacted. It is worth demonstrating the benefits they will lose out on from desisting so, like special deals, new investment opportunities, industry news etc.

Beyond receiving their unambiguous consent to be marketed to, a firm also needs to keep it very easy for an individual to change their communication selections – or in other word, withdrawing consent. This is just like offering an unsubscribe option on emails – something firms should currently be doing.

There is often discussion whether it would be acceptable to include a small amount of marketing in documents that are distributed to individuals as part of the performance of the contract. This could, for example, be used as a vehicle to update them of new investment opportunities. The answer is that yes it can, but the marketing must, however, be relevant to the overarching reason of the letter and should not detract from that as the main message.smr smcr fca aper

Data subject consent: Key actions and considerations

As consent from individuals must be unambiguous and they must also have the opportunity to redefine their communication preferences at any time. How will you achieve this?

How will you ensure the person competing the form/questionnaire/application is over the minimum age?

Even if the client “Opts-Out” certain correspondence may be necessary for the performance of the contract with the individual concerned, in which case consent would not be required; how will you explain this?

The fall back position is simple; If there is ANY uncertainty about whether a firm has consent from an individual, then it should consider that it does not have consent.

Data subject consent: Questions for the all industry advisers

Have you started gathering consent from clients and prospects and if so, how? How is it recorded?

Does this data form part of Senior Management MI Packs?

How and when are you going to seek consent from legacy clients?

Do you currently capture consent and, if so, how would yo demonstrate this?


Compliance Consultant can assist you in all your GDPR preparation and can work with most websites, back office systems and financial promotion strategies. Contact us now on 0203 815 7939


Specialist Regulatory Compliance Consultancy

Keywords: General Data Protection Regulation (Gdpr), General Data Protection Regulation 2018, General Data Protection Regulation Compliance, General Data Protection Regulation (Gdpr) Requirements, General Data Protection Regulation Articles, General Data Protection Regulation Business, General Data Protection Regulation Changes, General Data Protection Regulation Date, General Data Protection Regulation Effective Date, General Data Protection Regulation Fca, General Data Protection Regulation Uk, General Data Protection Regulation Uk Gov, General Data Protection Regulation Uk Implementation