Please note that this FAQ is only an overview of GDPR and not a comprehensive analysis of how GDPR affects your firm, nor a complete review of all of the GDPR requirements. Advisor4advisors does not provide legal advice and advises you to contact your legal council for direction on GDPR compliance.

What is GDPR?

GDPR stands for General Data Protection Regulation and is the European Union (EU) Regulation that replaced the Data Protection Directive (DPD) and The UK Data Protection Act 1998. After many years of debate it was approved by the EU Parliament on April 14th 2016 and involves the protection of personal data and the rights of individuals who are living in the EU. Its aim is to ease the flow of personal data across the 28 EU member states.

Who does GDPR apply to?

Any organization which processes and holds the personal data of people residing in the EU will be obliged to abide by the laws set out by GDPR. This applies to every organization, regardless of whether or not they themselves reside in one of the 28 EU member states.

What kind of information does the GDPR apply to?

GDPR applies to personal data (PD) such as name, address, email address, phone numbers, identification numbers, purchase history, account numbers, ip address, location data, photos and updates on social media networks.  

The current Data Protection Directive defines personal data as; "any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity."

What rights will individuals have under GDPR?

There are 8 fundamental rights of individuals under GDPR. These are:

  • The right to be informed - Organizations must be completely transparent in how they are using personal data.
  • The right of access - Individuals will have the right to know exactly what information is held about them and how it is processed.
  •  The right of rectification - Individuals will be entitled to have personal data rectified if it is inaccurate or incomplete.
  • The right to be forgotten - Also known as 'the right to erasure', this refers to an individual's right to having their personal data deleted or removed without the need for a specific reason as to why they wish to discontinue. 
  • The right to restrict processing - Refers to an individual's right to block or suppress processing of their personal data.
  • The right to data portability - This allows individuals to retain and reuse their personal data for their own purpose.
  • The right to object - In certain circumstances, individuals are entitled to object to their personal data being used. This includes, if a company uses personal data for the purpose of direct marketing, scientific and historical research, or for the performance of a task in the public interest.
  • Rights of automated decision making and profiling - The GDPR has put in place safeguards to protect individuals against the risk that a potentially damaging decision is made without human intervention. For example, individuals can choose not to be the subject of a decision where the consequence has a legal bearing on them, or is based on automated processing.

In general GDPR requirements revolve around the fulfillment of those rights.

What responsibilities will companies affected by GDPR have under this new regulation?

Companies must ensure that consent to process personal information is clear, affirmative, and in plain language. Companies must also make it easy to withdraw consent to process personal data. Companies must implement policies and procedures to comply with the rights of individuals as described above. For example they must provide a way to correct inaccurate information or request removal of all of an individuals data. Companies must update data security policies, processes and procedures to reflect the requirements of GDPR.

How does GDPR affect an advisor’s website?

Here are some ways that GDPR would affect a firm's website.

Privacy Policy

Your firm’s privacy policy that appears on the website should be updated to reflect the requirements of GDPR. GDPR requires that it be written in “natural language that is easy to understand”.

Your firm should include and name any third- party processors of personal information and explain how personal data is processed and for what purpose. For example, if your website has Google analytics plugins to monitor website usage to identify how many visitors visited a particular page , inferring interest in a company’s service,  then that should be stated.

There are some special categories of personal information that require special consideration, if that information is not collected then it should be stated in the privacy policy. If some of the special personal information is collected via your firm’s website, then what data is collected and why it is collected should be stated. Some of the categories are data concerning:

  • Race or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union memberships
  • Genetic or biometric data
  • Health or mortality
  • Sex life or sexual orientation

Data collection disclosure (Cookie disclosure)

You most likely have already been to websites with cookie disclosure popups, where you cannot use a website without accepting the disclosure. These disclosures are implemented to comply with the “The right to be informed”. In general the cookie disclosures explain that to use the website some information will be stored in order to allow the website to function. The disclosure should include a description of any other way cookies are used, such as tracking visitor usage of the website, or for marketing purposes.

Forms for collecting data

Forms for collecting data should include an acceptance ( checkbox ) of the privacy policy , and other policies that describe how the data will be processed.

If the way that data will be processed ( ex. Enewsltter subscription ) is not clear from the form then a separate acknowledgement should be used ( checkbox )