GDPR for regulated firms: what do you need to know?

Ipad Lock

The General Data Protection Regulation comes into force next year. It applies to all firms – but those that are already regulated, for example by the FCA, may have a head start when it comes to compliance.

Here, we look at why.

What is the GDPR?

The General Data Protection Regulation comes into force on 25 May 2018.

It is an EU regulation designed to strengthen and increase consistency in data protection. Although it is an EU regulation, it also governs the export of personal data outside the European Union.

It will affect any firm that:

  • Possesses or processes data pertaining to an identifiable person
  • Contacts those individuals via email, phone, SMS or mail
  • Tracks their engagement via e-shots, cookies, or landing pages for the purpose of profiling an individual

You can read about some of the detail of the regulations, released by the Information Commissioner’s Office the spring, here. You can also find out why – rather scarily – some commentators think GPDR could be the next PPI scandal.

What does it mean for regulated firms?

If you work in marketing for a regulated firm, you’re already used to complying with a range of stringent rules, whether they are set by the Financial Conduct Authority, Solicitors’ Regulation Authority or other regulator.

Does this give you a head start? Well, yes and no.


  • Because you are already used to working with some degree of rigour. So in some ways, the new rules will be less of a culture shock.

For example, the GDPR has strict requirements around record keeping. FCA-regulated firms already have to comply with the FCA’s requirements on accurate financial promotions record keeping.

  • Because you are likely to have a culture that supports a compliant approach.

The structures and processes to comply with the GDPR need to be championed at the top of your organisation.

This is something the FCA is also big on. If you already have a culture where good behaviours are embedded, you will be on the front foot.

  • Because some of the FCA requirements already support the principles of the GDPR. 

If you are meeting the regulator’s requirements on suitability, producing financial promotions that are fair, clear and not misleading and delivering the FCA’s required consumer outcomes, you are likely to already be marketing in a way that puts customers at the heart of your approach. A good start when it comes to managing their data responsibly.


  • Because the GDPR has very specific requirements.

These mean you will have to do things differently, however FCA-compliant your current approach is. One of the biggest changes is the move from opt-out to opt-in permissions. There are few firms that will have already voluntarily implemented this.

Even if you already meet the data (and other) requirements of your regulator, there will be things you need to change to comply with the GDPR.

What do I need to do now?

Our blog on the 10 things you need to know and do now about GDPR has tips on what the new regulation means and what action you need to take.

With the go-live date now less than a year away, firms need to make sure they have action plans in place to address the new rules. Processes and structures will need to be implemented or adapted to ensure you meet the requirements.

The new rules won’t just affect Marketing, but anyone in the business who communicates with clients or prospects. So you’ll also need to understand how they will impact your Sales team and Compliance colleagues.

And of course, GDPR is just part of the wider regulatory landscape. Just one of the requirements you need to get to grips with and comply with. 

To read more on the rules that govern you, and how to avoid compliance breaches, you can download our Marketing Guide to Compliance. It covers nine key areas that marketing needs to know about financial promotions and compliance; get your free copy here.

Nothing in this document should be treated as an authoritative statement of the law. Action should not be taken as a result of this document alone. We make no warranty and accept no responsibility for consequences arising from relying on this document.

New Call-to-action