GDPR – let’s do the detail!

Financial Advisory

James Goad

Big DataCorporate GovernanceData ScienceEUFinancial AdvisoryGDPRSecurityWinning Advisers

Now GDPR is here, it is essential to ensure you fully understand the legal and policy criteria and ensure that your business, IT and marketing processes are fully compliant.


  • Review legal/policy to make them fit for your business.
  • Regulatory requirements overrule GDPR requirements regarding the keeping of certain types of data.
  • GDPR seeks to strengthen control of Personal Data only.
  • Brexit makes no difference to the implementation of GDPR and it is seen as a sensible way to communicate with Europe.
  • Enforcement Officers can/will issue fines but they need not be significant as long as you can demonstrate that you have processes in place.
  • Make sure laptops are encrypted, staff are fully trained and IT and reporting processes are tested.
  • If a client requests to see the data held on them, it was suggested that clarification is sort as what they want the data for so that you can provide just the data required.
  • The two areas to be concerned about are Marketing and Employees
    - Only applies to electronic communications.
    - Doesn’t apply to businesses but if it is directed to an individual about something not relevant to the business, then you will require consent before the 25 May.
    - Legacy business – you can only contact the client about existing business you cannot offer some other product/service.
    - You can keep files but only the data that relates to the advice.
     Employees
    - Check employment contracts as they may no longer be current.
    - Ensure the people on your website given consent for them to be there.

Key issues and challenges:

  • Storage of data – identifying where in your business data is held.
  • Understanding multiple data storage options.
  • Reviewing and changing staff contracts to fulfil GDPR.
  • Testing your system ability to delete information.
  • Understanding third party contracts to identify where liability sits, and the levels of compensation you could be liable for.
  • Where are 3rd party suppliers based? i.e. Outside the EU and what implications will this have?
  • Understanding what type of insurance might be needed and what does existing PI insurance cover
  • Definition of a ‘business’ for marketing purposes needs to be understood. E.g. sole traders and partnerships are not included in this.
  • How do you make sure you can delete all data held for a client when asked?
  • GDPR requirements vs FCA requirement.


  • Review how and where data is stored – multiple areas will cause issues.
  • Ensure client services agreement clearly define the services you can bring to their attention.
  • Make sure laptops are encrypted, staff are fully trained and IT and reporting processes are tested.
  • Be clear on your 3rd party contractual responsibilities regarding GDPR and the impact of not meeting them.
  • Review or change employee’s contracts to include GDPR and their rights as well as employers rights regarding using their personal data.
  • If you have self-employed advisers make sure their contract of services reflects their liability and what needs to be done with the data when they leave.
  • Review how you send client data (shared file boxes).
  • Find out about secure/encrypted email suppliers, such as Beyond Encryption.
  • Obtain consent from people on website.

Expert: Matthew Lea - Herrington Carmichael LLP
Facilitator: Martyn Laverick - Soprano Consulting, Paul Miles - Silverback Consulting