Intelliflo’s GDPR Working Group tackles tricky consent and privacy notice requirements

By Miles Reucroft
Mar 29, 2018 11:13:17 AM

Following the third meeting of Intelliflo’s GDPR Customer Working Group, which represents around 2,000 UK-based advice firms, a paper has been published that tackles how firms should deal with the consent and privacy notice sections of the new regulation, which comes into force on 25 May 2018.

The paper maps out how UK financial advice firms can comply with privacy notice rules around connected individuals, as well as how firms can create their privacy notices; where they should be stored and to whom they should be submitted.

Data gathering is an essential part of the financial advice process, in order to offer a fully tailored advice solution. Some of the data about clients and prospective clients may be classed as ‘special category’ under the GDPR.

The key issue arises from data being provided by clients or prospective clients about family members, such as partners or children. Given that firms will be required to obtain consent from all the people whose data is being gathered, this raises a potentially awkward situation for financial advisers, as they won’t be obtaining information direct from data subjects themselves. In such instances financial advice firms should issue such connected individuals with a copy of the firm’s privacy notice, where it does not constitute a disproportionate effort to do so.

Rob Walton, Chairman of the GDPR Working Group and Chief Operating Officer at Intelliflo comments; “As we witnessed during our Working Group meeting, the topic of connected individuals is a potentially troublesome one for financial advice firms. In keeping with the spirit of the GDPR, however, firms can put themselves in a stronger position by communicating the rights of the individual with whom they have not met, directly with them via the submission of a privacy notice.

“Firms will also need to establish an internal policy framework for instances where it could be reasonably defined as representing a disproportionate effort on the part of the firm to issue the individual with a copy of the firm’s privacy notice. This is one of the big risks that firms are facing under the GDPR framework – processing data on data subjects who are not fully aware of how or why their data is being processed could lead to a complaint in the future. Such a scenario could quite easily occur where a couple end up getting a divorce and previously unknown data held by the firm, about one of the parties, comes to light.”

The third Working Group paper also outlines exactly what advice firms need to do to create GDPR compliant privacy notices.

Robert Walton continues: “Articles 13 and 14 of the regulation are very instructive and clear for firms when creating their privacy notices. By working through these articles in the GDPR, there is no ambiguity in the process – this is something that was examined in detail by the Working Group and has been documented in the latest paper, providing significant help to advice firms getting their processes ready for the 25 May deadline..”

A copy of the paper can be downloaded free at