Data Protection and GDPR
Written by Charlie Palmer on 10/08/2018

June 1st 2018


IFAC recommend that all IFA / MGI firms review their standard RI agreements.

Most RI agreements say something very similar to our own posted on our document library under Recruitment and HR section.

Which is this:

Following termination of this Agreement the Adviser shall transfer within 30 days to the Company all original records, client files, electronic data and property concerning Business carried out on behalf of the Company, 
provided that the Company will allow the Adviser to copy such files, 

Delete this: provided that the Company will allow the Adviser to copy such files, !

This is no longer allowed.
It is no longer possible for RIs to walk off with their client data, unless the client ALSO agrees it.

So the IFA will need to get permission of their clients to take the data, and that means sending out a letter to all customers (while still in the network or firm) asking the customer if they mind their information leaving that organisation.  

It strikes me that the employer IFA firm will have to agree to this to avoid any prosecution for theft.  No employer agreement means no right to information. 

GDPR Q & A


Q. How does the GDPR affect the use of implied consent to cookies?
A. Implied consent is no longer suitable for reliance of consent under GDPR when it comes to Cookies. The consent must be given as a clear action, such as clicking opt in, or selecting a preference. It has to be free choice, and it must also be capable of being withdrawn in the same manner.

Q. How will an employer be able to see a medical report obtained post-GDPR on an employee with all these difficulties around relying on consent?
A. As this falls in to the ‘special’ category of data, it is more sensitive and therefore there is heightened protection. There will need to be a lawful basis for processing such data, and consent will need to be freely given. Since there is an imbalance in the relationship, it will be difficult to rely on the employee’s consent. Therefore, employers and IFAs will have to find another legitimate interest for processing (employment law, defending claims etc). A record will need to be maintained and employees will have to be informed of the processing

Q. If a contractor – such as an IFA working as an RI - is self-employed will this make them more likely to be a controller under the GDPR?
A. Contractors such as Appointed Representative AR - IFAs are controllers, because the clients belong in part to them.  IFAs who act as self employed RIs only are processors and GDPR requires the controller to set out their relationship in a clear and transparent manner. In other words IFA firms should ensure they have a contract with these RI processors.

All news