How has compliance changed in the year since GDPR?

GDPROn 25 May, it was a year since the General Data Protection Regulation came into force.

When it came into effect, GDPR was anticipated to change marketing compliance dramatically.

But in year since its introduction, how has GDPR really impacted your financial promotions? What’s different for financial services Compliance teams twelve months on?

The fundamentals of GDPR

Any organisation has to comply with the General Data Protection Regulation if they:

  • Possess or process data pertaining to an identifiable person
  • Contact those individuals via email, phone, SMS or mail
  • Track their engagement via e-shots, cookies or landing pages for the purpose of profiling an individual

Any firm that does this is a ‘data processor’ in the eyes of the regulation.

The GDPR removes the previous distinction between business and personal data. Prior to this, data used for B2B marketing was subject to less stringent rules than data captured for B2C.

What was the response from firms to GDPR?

As the implementation date for the new legislation approached, there was a rush of activity to ensure firms were compliant. Before and since then, activity has continued to adapt to the new, stricter environment.

  • Data processors needed to select a lawful basis

The regulation gives firms a choice of six ‘lawful bases’ under which they can process data.

Prior to 25 May 2018, many firms had planned to use consent as their lawful basis of choice. Significant work was done to identify the best ways to gain consent from contacts so that firms could continue sending them financial promotions via email.

When the deadline came closer, many firms changed their approach, and chose to use ‘legitimate interest’ as their lawful basis.

  • Firms prepared to focus on other marketing channels

GDPR made the prospect of email marketing more challenging, with firms’ contact lists at risk of being decimated by opt-outs. This led many commentators to suggest that marketing activity might change significantly under GDPR.

There was predicted to be a shift towards other digital channels for financial promotions – particularly SEO and social media. Any firms wanting to engage external experts to help with their digital marketing activity need to ensure they avoid the potential pitfalls of outsourcing by ensuring your approach is compliant with the FCA’s rules.

  • Data and content have been refined

Data is of huge value to financial services firms, as the FCA pointed out in a recent speech.

Looking at the positives of GDPR, the regulation does give firms an incentive to clean up and focus their client data.

And with awareness of data protection rules growing as a result of the publicity around the new regulation, firms need to sharpen their content if they want to keep people on their mailing lists.

This might seem more an issue for Marketing than Compliance teams, but high-quality content – the sort of content people will opt in to receive – is a plus from a compliance as well as a marketing perspective.

Talking to an audience that is relevant to your products and services, with relevant, targeted content, should not only be marketing best practice but will also improve your chances of meeting the FCA’s requirements around promotions that are fair, clear and not misleading.

Has the UK met the requirements around GDPR?

Not entirely, it would seem. A report released in July last year claimed that UK employees are more likely to get into trouble for failing to do office ‘housekeeping’ than they are for GDPR breaches.

And a survey in December found that two-thirds of EU firms were not fully compliant with the regulation.

When the GDPR was imminent, some commentators suggested that data breaches could be the next PPI scandal, and that the new regulation posed a bigger compliance challenge than MiFID II.

It’s therefore something that all businesses should be taking seriously. Compliance teams, alongside your Marketing colleagues, play a key role in ensuring your approach to data governance is up to scratch.

What next for GDPR compliance?

In a blog to mark the anniversary of the regulation, Elizabeth Denham, the Information Commissioner noted that:

there is much more still to do to build the public’s trust and confidence. With the initial hard work of preparing for and implementing the GDPR behind us, there are ongoing challenges of operationalising and normalising the new regime. This is true for businesses and organisations of all sizes.’

Denham’s office will focus over the next year on providing support to ‘all parts of the UK business community, from the smallest SMEs to the biggest boardrooms, to deliver what is needed’.

You can read our advice on GDPR compliance for small businesses here.

A move from tick-box compliance to a cultural shift

In its second year, Denham says the GDPR focus ‘must be beyond baseline compliance – organisations need to shift their focus to accountability with a real evidenced understanding of the risks to individuals’.

This move away from ticking a box towards organisational behaviour that embeds good governance will be familiar to FCA-regulated Compliance teams – one reason why FCA-regulated firms may have been better prepared for GDPR than their unregulated peers.

Make sure your firm complies

If you want a refresher on what you need to do to comply with GDPR, it might be helpful to read our blog on the regulation’s launch.

The ICO also publishes regular blogs and has a dedicated GDPR microsite – both good sources of information.

It’s clear from the ICO’s stance a year since the regulation’s launch that the focus in the next twelve months will be on making compliance ‘business as usual’.

For advice on creating a more customer-focused, compliant culture in your firm – which will help you not only to meet the GDPR requirements, but stay on the front foot with any other changes – you can download a copy of our whitepaper, How to embed a compliance culture within your business. It’s free, and you can get a copy here.

New Call-to-action

Nothing in this document should be treated as an authoritative statement of the law. Action should not be taken as a result of this document alone. We make no warranty and accept no responsibility for consequences arising from relying on this document.