- 'I am very grateful as my income has now increased substantially.'
(Mr P, Bristol)
- 'Flexible enough to take on short term campaigns and filled our vacancies in record time.'
(Major Life Company)
- 'Professional and reliable service nationally.'
(Major Bank Assurer)
Latest Financial Services Careers News
- Thursday March 2020, 00:00:00
- COVID 19
- Thursday November 2019, 00:00:00
- Self Employed womens pensions
- Wednesday August 2018, 00:00:00
- AFH brings forward timeline on scrapping platform fees
- Tuesday May 2018, 00:00:00
- Lighthouse Group has renewed its contract with the Royal College of Nursing
- Saturday May 2018, 00:00:00
- GDPR for Financial Advice Firms
GDPR for Financial Advice Firms
Saturday May 2018
In the next of a new series of articles based on the latest meeting of the Intelliﬂo GDPR Working Group on the ramifications of the GDPR for financial advice firms, Rob Walton considers the issue of consent for marketing
As we have discussed before, there are two high-level types of consent firms need to consider: consent to process data and consent to market to a data subject. When thinking about marketing it is important to understand not all communication to data subjects is classified as marketing, especially when we consider communication to existing clients. Let's explore that in more detail.
The table below outlines the three client scenarios a financial advice firm could find itself in. Let's assume a firm has three clients, all of whom have pensions and
When becoming a customer of the firm, Client 1 has consented to receive marketing from the firm, whereas both Client 2 and Client 3 have not. Client 3 has also, at some point, objected to legitimate interest communications as well. All three of them receive communication the firm is contractually and legally (bound by regulation) obliged to send.
Client profile 1
Client profile 2
Client profile 3
Now let's examine the differences between the different communication types.
Contractual/legally required communication
Clearly there are obligations on a firm to provide certain communications to a client, such as providing them with their annual portfolio report, advising them their portfolio has dropped 10% in accordance with rules outlined in MiFID II, informing them their adviser has changed, a change of contact details for the advice firm or maybe there is a change of ownership of the advice firm itself.
While a client may have expressed preferences as to how they receive that information, they cannot make a complaint about the communication itself. A firm has both the right and the obligation to communicate to all of their clients profiled in this example.
Once a client signs a contract with an advice firm, they will automatically become applicable for marketing that is deemed to fall under legitimate interests. Without marketing consent, the advice firm can contact them under the auspices of a contractual or legal obligation (as above) and will also have grounds for contacting their client about legitimate interests of the firm.
The Information Commissioner's Office states: "You can rely on legitimate interests for marketing activities if you can show that how you use people's data is proportionate, has a minimal privacy impact and people would not be surprised or likely to object."
A simple example of this may be sending an individual a quarterly client newsletter or where their adviser has information about their investments and how they might get more from the service the advice firm provides.
It may also be a firm has a client, for example, who has not invested their full ISA allowance for the year with the tax year-end approaching. Alerting a client to this fact could well be in their best interests, so making an effort to inform of this would be appropriate under legitimate interests.
While this is still marketing, it directly correlates with the service the client is being provided with and it would not be unexpected for a firm to send such communications to a client. This is not, however, an acceptable lawful basis upon which to launch entirely new and unrelated services - for example, "You are a pension customer of ours and we thought you might want to know about our new car insurance business".
While we have said a person signing up to be a customer of an advice firm automatically qualifies for legitimate interest marketing, that does not mean they cannot object to receiving such communications. While a firm's communication may well be in the best interests of the client, if they do not wish to be contacted by the firm, they can object to this.
Firms must provide their clients with the ability to object to such communication and firms are going to need the ability to systematically track when an individual has opted out of receiving legitimate interests marketing.
Legitimate interests marketing
This is what we think of as typical marketing activities - for example, a new product launch a firm is running or advertising the services of a third party. As you would expect, the data subject must have consented to receiving such marketing material from the firm.
For a firm to be able to undertake such marketing to an individual, it must have received consent that is compliant with Article 7 of the General Data Protection Regulation (GDPR) in that consent must be freely and positively given, unambiguous and auditable.
As with consent for data processing, the consent should have a lifespan that would cause it to be renewed at some point in the future. The data subject must be able freely to withdraw their consent as easily as they can grant it.
The above breakdown of communication types highlights the nuanced client marketing scenarios that advice firms need to be able to cater for in the form of legitimate interests marketing versus typical marketing activities. If a firm can only distinguish between those clients who have and have not granted consent to receive marketing communications, legitimate or otherwise, then they will lose granularity that will be negatively impactful on their ability to communicate with clients, which is required to maintain and grow their business.
Where firms do currently have marketing consent, they will need carefully to assess whether it is GDPR-compliant or not and, if not, they will need to consider how they will acquire it. Even before the GDPR comes into place, sending a blanket mailer to all contacts asking them to give consent for marketing to them would still be a breach of current direct marketing guidelines and could result in a complaint, as happened to Honda and Flybe in 2017.
In addition, firms must gather consent for each area in which they would like to contact the data subject as consent is not simply a catch-all for all types of communication.
The idea behind this is to empower the individual as to how their data is processed. Firms will need a contact preference centre to enable people to do this. This is, essentially, an extension of the current requirement to have an ‘unsubscribe' button attached to all email communications.
While this works for emails, however, it is sensible to break this down into the different areas about which a firm may wish to contact an individual. They may not wish, for example to receive a newsletter through the post and would prefer it in a soft format via a secure messaging portal.
Firms will also need explicit consent for each method of communication intended to use to market to people. So, this means firms will need consent to email, telephone, write, fax - in short, whichever methods a firm intends on using, it will need consent for that.
Rob Walton is chief operating officer at Intelliflo