The General Data Protection Regulation is a relatively new set of laws governing consumer data protection that went into effect in the European Union on May 25, 2018.
Basically, it’s the EU’s answer to consumer demand for increased transparency and accountability in how their data is used. Since then, California passed a similar law that will go into effect in 2020, and the rest of the country will probably follow suit shortly thereafter.
The jurisdiction covers the private information of any resident of the European Union, regardless of where your company is located. If you are collecting, storing or using the data of EU residents that visit your website, you must comply or risk up to $20M in fines. (If all of this seems sudden, it’s important to note that this law has been six years in the making.)
One of the unique challenges of the world-wide web is that it’s exactly that – world-wide. American visitors can easily navigate to European sites, and vice versa. I can’t count how many times I’ve ended up on a British or Australian site without realizing it until I see the word “colour.”
While American advisory firms tend to work primarily with U.S. citizens, if you have even a single client from the EU or anticipate doing so in the future, then your site needs to be made GDPR compliant. But are all North American advisors required to comply, even if you don’t have any EU clients? That’s a complicated question that we’ll come back to in a minute, but first.
What is the GDPR about?
A quick note: Before we go any further, I want to be clear that nobody has all the answers regarding the GDPR right now. We have spent countless hours researching this subject and believe this article to represent the latest, most accurate information, but nothing we say here should be taken as the final word.
You’ve probably heard of something called “cookies,” which store website visitor data in order to offer a more efficient and customized experience (not to mention they give site owners valuable information on their site’s traffic). And you’ve likely filled out a form online that had a checkmark next to a sentence that said something like, “Yes! Sign me up to receive your weekly newsletter.”
Both of those items – which many advisors use somewhere on their firm’s website – plus many others are about to become much more strictly regulated (at least for EU citizens who visit websites), with severe consequences for non-compliance. Basically, if you capture any information on your website, including name, email, address, phone number, available assets to manage and more, then you’ll want to read on.
Here’s what the GDPR means for your clients and prospects:
- Consumers have the right to be forgotten: Your firm is required to delete all client and prospect data upon request.
- Consumers have the right to access their personal data: Your firm is required to provide all data you have on a consumer at their request.
- Consumers can grant or deny services consent: Your firm must receive explicit consent from consumers before they are opted into emails and other communications.
- Consumers can grant or deny placement of cookies: Your firm must receive explicit consent before placing cookies on their device.
So what does that mean for you and your firm? As you’ll find, the answer isn’t so easy.
Are You the Data Processor or Data Controller?
You might be thinking that all this data tracking and security isn’t ultimately your problem, as you’re a financial advisor, not directly collecting and storing online client information on your own servers or in your own office. It’s all stored on third-party data servers, and it’s the problem of that vendor to maintain the security of the data on their servers.
That may be true, but the GDPR still sees it as your responsibility, because you’re the one requesting/collecting the information. The GDPR makes an important distinction between the data controller and the data processor. According to Article 4, the controller is the person or company who uses the data for business purposes (i.e., you, the advisor).
The processor is the person or company who stores the data. GDPREU.org gives this example: If Acme Co. sells widgets to consumers and uses Email Automation Co. to email consumers on their behalf and track their engagement activity, then with regard to such email activity data, Acme Co. is the data controller, and Email Automation Co. is the data processor.
So if you’re an advisory firm using Mailchimp or Constant Contact to email and keep track of contacts – or Salesforce or Redtail to track their info – those tools are merely processors. The ultimate responsibility and liability lie with you, because you’re the “data controller” since you’re the one who actually uses the data for business purposes … which means you’re the one who has to ensure user data is deleted or provided upon request.
Again, GDPREU.org explains it best: Generally speaking, the GDPR treats the data controller as the principal party for responsibilities such as collecting consent, managing consent-revoking, enabling right to access, etc. A data subject who wishes to revoke consent for his or her personal data therefore will contact the data controller to initiate the request, even if such data lives on servers belonging to the data processor. The data controller, upon receiving this request, would then proceed to request the data processor remove the revoked data from their servers.
As the controller, if someone requests that you delete their info and you fail to tell your processor to delete it, you are liable and could face serious fines.
What Does the GDPR Have to Do With My Firm?
As with any new legislation, it’s often confusing and difficult to know exactly how it will impact you and your business. Any of the following processes could be impacted:
- How you collect data: How are you capturing names, email addresses, phone numbers and other data for clients and prospects? You will want to communicate clearly to users how their data will be used.
- How you use data: Are you using consumer data to send newsletters and other email updates? Remember the newsletter checkbox I mentioned above? GDPR makes it illegal to have the default setting for that checkbox be on next to “Yes! Sign me up to receive your newsletter.” It now must be off, meaning visitors have to intentionally check the box to be added to your subscriber list. (This doesn’t apply to your newsletter subscription form, as that is already a clear consent.)
- How you store and secure data: Make sure the applications and platforms where you use and store data are secure. Many advisors use third-party software to manage their contacts and user info, so a simple Google search will help you find out if your tools are GDPR compliant.
At this point, you may be thinking, “Doesn’t GDPR only apply to the consumer data of EU residents?” Well, yes, but there are a few reasons it matters for companies outside of the EU. If you do business with anyone who resides in the EU, you must comply. It’s also important to be GDPR compliant if you plan to do business in Europe. As a financial advisor, maybe you have a client who lives in Europe or plans to move – either situation would require you to comply.
Arguably, it’s also worthwhile preparing to comply simply to stay ahead of the curve. Similar data regulations will likely roll out in the U.S. at some point, so by complying with GDPR now, you’ll be ready when we follow suit here.
Do Financial Advisor Websites In the U.S. Have to Comply with GDPR?
Like I said, that’s a complicated question, but let’s see what we can untangle. As the law has yet to go into effect at this point, no one can say definitively how hard regulators will come down on violators – particularly when they’re EU regulators and U.S. companies. But the EU has been clear that it expects GDPR applies to any company doing business with EU citizens, even when they are businesses based in other countries (i.e., the U.S.). In practice, we see four categories of advisors when it comes to the GDPR:
1. ADVISORS WITH ONE OR MORE CLIENTS WHO LIVE IN EUROPE
If this is you, then you definitely need to be compliant, no questions asked. Even if your clients are Americans by birth who now live in Europe, they are covered by the GDPR. In addition, even though it’s no longer part of the EU, the UK is currently working on its own version called the Data Protection Bill, so the same goes for your expat clients who have moved to Scotland, England, Wales and Northern Ireland.
2. ADVISORS WITH CLIENTS WHO ARE MOVING TO EUROPE
Again, you will definitely need to bring your site in line with the GDPR if/when/once you have a client who moves to Europe. Simply put, if a client decides to retire to Europe or move there on a permanent basis for any reason, your site must be GDPR compliant (if you plan to keep working with that client).
3. ADVISORS WITH ONLY NORTH AMERICAN CLIENTS, BUT WHO MARKET TO PEOPLE IN EUROPE ON THEIR WEBSITE OR WANT TO WORK WITH EU CLIENTS
Even if you don’t have any European clients, but you specifically target people in any European country on your website, then you also definitely need to comply with the new law. If you have any pages written in a non-English language spoken in Europe – or pages in English that speak directly to English-speaking people in Europe – it’s time to get your site up to code.
4. ADVISORS WITH ONLY NORTH AMERICAN CLIENTS WHO DON’T PLAN ON WORKING WITH EU CLIENTS (BUT MAY HAVE EU WEB TRAFFIC)??
This is where we start crossing into the gray area. No one wants to give a definitive yes or no at this point, as we have yet to see how strictly the regulatory authority will enforce the new rules. As of now, it is only clear that GDPR applies to companies in the first three categories. If your entire site is clearly geared toward North American investors and you have no European clients (and do not intend to take any on), then you may fall outside of GDPR regulation. After all, it’s not an American law.
The U.S. will likely follow suit within the next five years, but for now you are probably OK. If someone in Europe stumbles across your site and gives you their email in exchange for an ebook, then you probably aren’t in violation of the law (the keyword being probably). The same goes for if someone from Europe visits the U.S. and goes to your site while they’re here.
For instance, say you run a small RIA firm in Maine that serves people in your immediate community and it’s clear on your website that you only serve people in the U.S. If someone from France visits your town, hears about your firm and then visits your website to learn more, you would not be in violation. Of course, if that lead becomes a client after they go back to France, then you would be required to comply.
What makes the GDPR’s applicability here so fuzzy is their use of the phrase “data subject” to describe who is covered under the law. Article 3(2) says: “This Regulation applies to the processing of personal data of data subjects who are in the Union…” Does “data subjects who are in the Union” refer to: 1) citizens of the EU; 2) residents; or, 3) just anyone who happens to be on the continent when they access your website, even if it’s one of your clients or a prospect on vacation?
Nobody seems to know for sure right now, but just to be on the safe side, many people are assuming it’s the third definition and that anyone who happens to be on the European continent visiting a U.S. website could trigger GDPR for that U.S. website. If you are in the first three categories of advisors, you’ll absolutely need to inspect your website and any marketing, advertising and analytics you do to make sure you’re complying with this new law.
And even if you’re in the fourth and suspect you may be in one of the others some day soon, it’s not a bad time to re-evaluate how you’re collecting and what you’re doing with the data of people who visit your website,
What Parts of My Advisor Website (and/or Third-Party Software) Could Be Violating the GDPR?
Chances are you use third-party software somewhere on your website, whether it’s for scheduling appointments, building landing pages, hosting webinars, tracking visitors, creating pop-up forms or a myriad of other tools that make your website easier to manage and/or help you with marketing to connect with and nurture prospects. And even if you don’t manage your website yourself, you are responsible for making sure your site is in compliance.
Here are some of the most common tools advisors use to gather information that you’ll want to check for GDPR compliance (if it applies to you).
1. APPOINTMENT SCHEDULERS
In order to schedule an appointment, you have to capture some information, whether it’s a user’s phone number, name or email address. What you as the controller do with that information, or your appointment scheduling software does as the processor, is an important part of GDPR compliance.
Best practice is to not use that information in any other way beyond that appointment, and then add a note to the scheduling page that says something along the lines of: “We only use the information you provide here as it relates to your appointment. We do not share it with any partners or even other departments within our firm.”
There are several solutions out there for scheduling appointments for financial advisors, so you’ll want to check with your provider or processor to see how they’re complying. For instance, ScheduleOnce has a great page outlining everything they’re doing to comply, as well as any responsibilities that may still fall on their users. Calendly has taken several steps toward compliance, but they still admit that “since GDPR is a new and broad regulation with no certification process, we have no process of verifying our compliance. Nonetheless, through our good-faith efforts, we believe we are in compliance, both now and as future developments come along.”
2. LANDING PAGE SOFTWARE
A landing page is any page (usually a standalone page) that you use to collect information from site visitors. It could be for an ebook download, webinar registration, appointment scheduling or even something as seemingly harmless as your contact page.
Many advisors add a “Sign me up for your newsletter” checkbox to these forms. If you do that, you’ll need to make sure the default setting in the checkboxes on all forms is set to “off.” Most advisors don’t build their pages themselves, but chances are your site admin uses some kind of landing page-building software. The people who build landing page software can’t afford to ignore GDPR because their tool is built specifically to capture people’s information, but you’ll still want to make sure by searching for “[your landing page provider] GDPR.”
Leadpages and Unbounce have added GDPR-specific tools for users to add to forms on their pages, and others seem to have done the same, but as the “data controller,” you’ll want to be extra diligent in making sure you’re covered.
As noted earlier, if your landing page is solely a form to sign up for your newsletter in the first place, that’s already GDPR compliant because signing up for the newsletter directly is by definition giving consent. But to the extent you’re “just” offering something else (e.g., an ebook or other download) and are separately also adding them to your mailing list … the visitor needs to be given the option to join the mailing list or not, and by default the box to join the list needs to be unchecked.
3. MARKETING AUTOMATION SYSTEM
If you use a marketing automation system (e.g., Hubspot, Mailchimp, Pardot, Drip), then you probably received an email from them in the past year telling you all the updates they’ve made regarding GDPR. Don’t assume that means you’re in the clear, though. While Mailchimp has added some great tools to help make your site compliant, you still need to go in and implement many of the tools yourself (e.g., turn on GDPR fields, set up new list segments to sort people by contact consent). Same goes for Hubspot, Drip and others.
4. POP-UPS AND COOKIES
Evaluate your existing pop-ups
If your site has any pop-ups asking people to sign up for your newsletter, a webinar or something else, that’s another area that must be GDPR compliant. If all you’re doing is directly inviting them to join your mailing list, you’re already compliant. And if you’re just using their email to reserve their spot for the webinar (and not actually adding it to a mailing list), then you’re also in the clear.
On the other hand, if you’re planning on following up after the webinar with more emails, you’ll want to get clear consent (because your emails may be primarily centered around the webinar, but are not exclusively so).
More generally, the key point is that pop-ups need to be clear about what they pertain to (or not) – and if the pop-up is asking visitors to consent to something else (e.g., joining a webinar, getting an ebook, etc.) and doesn’t specifically say they’re joining your mailing list or newsletter, you need to include a(n unchecked) checkbox to give them the option to join or not (or simply change the entire pop-up to state they’re joining the mailing list in the first place so they know when they give consent).
Pop-up tools like SumoMe and Sleeknote put together some very valuable information on how they’re compliant.
Even if you don’t have pop-ups, you will need to add this one
One point of the GDPR is that consumers must be given the option to grant or deny placement of cookies. Gone are the days when websites just asked you to turn your cookies on – you now have to explicitly ask for consent before tracking any user information.
In addition, you need to tell people what cookies you use and how they are used. This is an area where you’ll likely want to use third-party software that can take care of all of this for you – create the pop-up, list the current cookies used and track user preferences.
5. ANALYTICS TOOLS (GOOGLE AND OTHER)
Chances are most advisors aren’t diving too deep into Google Analytics. You have plenty of other things to do. But if you’re using any analytics tools to connect specific user info to region to see where your users come from, then you’re in violation.
Of course, anonymous information on where your users are from (i.e., standard Google Analytics tracking) is OK. The problem arises when you attach any personally identifiable information to user IDs by using additional analytics add-ons.
The GDPR strongly suggests “pseudonymizing” all IDs to prevent any identifying information from being attached to analytics information. In addition, the GDPR wants to set limits on how long user data may be held. Once again, they are keeping things vague (according to Article 5(e), user data should be kept “no longer than is necessary for the purposes for which the personal data are processed”).
While that timeline is open to interpretation, Google has implemented data retention controls, so you can choose how long you want to hold on to user info. Their default setting before was “forever”, but in May of last year, they changed it to 26 months. If you want to hold onto that information indefinitely, you’ll need to go in and change it to “do not automatically expire.”
Notably, there are several other options now available, too. A particularly helpful sub-option here is “Reset on New Activity,” meaning that if you have it set for 26-month retention, every time that user has new activity on your website, the 26 months starts over. They’ve also introduced a user deletion tool, so you can easily delete user info from your analytics.
Keep in mind, deleting a user from Google Analytics doesn’t delete them from everything else. You’ll still need to delete them from your site, marketing and any other software that may have tracked that user if someone actually requests to be deleted.
6. (DIGITAL) ADVERTISING
Digital advertising largely relies on someone’s ability to collect the personal data of others – whether it’s you doing the collecting or a third party like Twitter, Google, Linkedin, etc. This matters for GDPR purposes because what you do with that data – e.g., what services you share it with in order to serve up ads – must have been consented to when the user signed up.
For instance, if you plan to upload a list of prospects to Facebook in order to serve them ads, or to track people who click your ads so you can retarget them later, you’ll need to be certain that their cookie preferences allow for that option. In addition, you’ll want to examine your advertising workflow – from ad, to landing page, to what you do with visitor information beyond that. And of course, if the ads themselves invite prospects to sign up or do something, those sign-up forms need to be GDPR compliant as well (i.e., clear about how that data will be used, and not defaulting them into a mailing list without getting their explicit opted-in permission).
To say the least, if you’re automatically subscribing people to your newsletter without asking just because they downloaded an ebook or followed you on Facebook, be sure to discontinue that practice going forward.
Fortunately for advisors, all of the major digital advertising channels are the ones under the microscope on this issue, so they’re spending millions of dollars and scrambling to get your ads on their sites up to code. Altogether, estimates put the cost of GDPR compliance for U.S. Fortune 500 companies at $7.8 billion.
Third-party software like Cookie Control, OneTrust or Cookiebot will automatically update your list for you. All three of these services have free tiers that could entirely solve your cookie-reporting-in-Privacy-Policy challenge.
8. WEBSITE SECURITY MEASURES
This area goes back to the question of controller vs. processor (remember, as the advisor firm, you’re typically the controller). If any of your processors have a data breach, or you have one at your firm, you are responsible for notifying your users and the authorities “without undue delay” that their data has potentially been compromised.
If you fail to notify them, you could be fined up to $10 million, and then face additional fines on top of that for not implementing adequate security measures. To say the least, don’t drag your feet if there is a data breach; you need to notify clients, prospects and anyone else whose data was compromised to let them know what happened.
Of course, phrases like “without undue delay” are open to interpretation, and will likely be firmed up over time, but their general timeframe is within 72 hours of finding out about the breach. If it takes longer than that, you better have a good reason. Here are a few security measures you can take right away to start down the right path toward being GDPR-friendly:
- Enable SSL – If your site’s URL starts with http rather than https, then it’s not secure (using SSL). In addition to simply being more secure and reducing the risk of having a data breach (and being required to make an embarrassing admission to clients and prospects), browsers started throwing up red flags for non-SSL sites worldwide last year, so now is the time to make the jump (and there are now some easy tools available to help!).
- Keep plugins and themes updated – Sometimes plugins have security holes, but the good news is that they’re usually patched very quickly if they do. But the patches won’t help you unless you apply the updates! Continuing to use outdated plugins and themes is like leaving the doors to your house unlocked – it’s a really easy entry point for anyone who wants to get in, especially once the hole is known and you still don’t update your plugins. Simply put: Keep them updated!
- Develop a “breach protocol” – If your firm doesn’t know what to do (or what it would do) if/when a breach happens, you will be delayed in reporting to the authorities, and they probably won’t accept “we didn’t know what to do” as a valid excuse for reporting late. Experian has a great guide that can help you develop a protocol and be prepared.
9. MANAGING USER INFO
This will be a new one to most people, even those outside the financial industry. One of the main points of the GDPR is that you are required to let users see the info you have on them whenever they request it. This was already the case under the previous iteration of GDPR (the Data Protection Act of 1998), but rather than charging users $14 for their info, you now have to provide it for free (except in special cases).
How are financial advisors supposed to handle this one? The Information Commissioner’s Office recommends a data portal where users can access their own info, but that is probably overkill for most U.S. advisors who may see one such request over the course of a career.
While it may be a bit of a pain, the best approach as of now seems to be to look through all of your digital information to find the user’s profile(s) upon request, and then export the information and send it to the user. This is probably a job for an intern or executive assistant, but you’ll want to review their work before sending it out if there is a request as, again, the ultimate liability falls on you.
What Happens if I Don’t Comply With GDPR?
With non-compliance, you risk reputational damage. Companies like Sony, Equifax and Yahoo are eternally besmirched by their inability to properly protect client data. As the protection of personal data becomes a cultural norm, you’ll want your firm to be on the right side of this wave.
But it’s not just your reputation at stake. Non-compliance comes with hefty fines. Depending on the offense, you could be fined up to $20 million, or 4% of your company’s revenue from the previous year, whichever is greater. Again, at this point, it remains to be seen whether or how aggressive EU regulators will be in enforcing GDPR.
Complaints were filed against several big companies as soon as the law took effect, and some have paid fines. But given the very public data privacy breaches in recent years, it’s safe to assume that the EU intends to take the issue seriously.
Will The EU Regulators Really Fine U.S. Advisory Firms Under GDPR?
The short answer is that, again, nobody knows at this point. As the GDPR hasn’t gone into effect yet, we don’t know how aggressively they’re planning to go after U.S. organizations who are found to be unknowingly noncompliant, if they will at all. But it doesn’t sound like they’re going to take violations lightly, even if you’re across the pond.
The size of the fine is based on numerous factors, so it’s not likely that yours would be $20 million. But however much it is, it will probably end in the word “million.” As many advisors know all too well, you should never depend on the kindness of regulatory organizations.
How Can My Advisory Firm Become Compliant?
The first step is to contact your site administrator and ask them if they are GDPR-compliant. If they’re not, give them a timeline to get there, and find a new administrator if they don’t make it. In summary, advisory firms will need to address six areas to become GDPR complaint, assuming either you have EU clients (and must be compliant), or are concerned you might be subject to GDPR given EU visitor traffic:
1) Get Permission for Cookies. The core starting point for GDPR is to not collect information on consumers until they give consent. So you’ll need to add a plug-in that obtains consent before collecting cookie information.
3) Update Your Opt-Ins and Landing Pages. Under GDPR, you need to be crystal clear about how information will be used, and only add people to lists they explicitly consent to. Opt-in forms for your mailing list are fine, but any landing pages or opt-in forms you use that add people for some other purpose and then also add them to your mailing list must be altered to make the addition to the mailing list optional, with a checkbox that is by default not checked.
4) Have a Process to Provide Information to (or Outright Delete) Users. GDPR includes a “right to be forgotten” section that requires consumers have the right to know what information you have collected on them, and have it deleted. You’ll need to establish a process for how you will do this across all of your different systems (as GDPR penalties will apply if you fail to fully delete a user’s information across all your software platforms).
5) Verify Your Vendors are Compliant. From a practical perspective, this means verifying that your vendors can manage information at the individual user level to ensure they can be deleted if necessary, and for any software that facilitates sign-ups, ensure that the sign-up forms/landing pages/etc. are all compliant or can be made compliant.
6) Have a Policy for Data Breaches. Ideally, your website and systems will be maintained in a secure manner that doesn’t get breached. But data breaches can still happen. Be certain to establish a plan for how you will communicate this if it ever occurs, as GDPR requires timely notification “without undue delay” … and not being timely because your firm was scrambling to figure out how to notify clients and prospects is not an acceptable reason for delay. At Carson, we’re bringing our site and those of our partners up to speed with the help of the Ultimate GDPR plugin and some custom design. You can help your site become compliant by:
- Managing user data in a back-end user manager directly in WordPress
- Providing a way for users to easily see and manage their own data
- Giving users an easy link to request data deletion, and helping you keep track of which users have requested deletion so you make sure it gets done
- Making it easy to send data breach notifications to the right people right away
There are plenty of other services available that accomplish many of the same tasks as CookieBot and help you take stock of the situation and become compliant. Cost is an understandable factor to consider here. If you only have one or two EU clients, then how much is it worth to you to bring your site up to code? Custom coding might cost you a little more if you need it. Other services can come with a minimal monthly fee or similar lifetime prices. But what’s a few hundred bucks compared to the potential penalties of noncompliance?
Why is GDPR Happening?
Data security has become a hot topic in recent years. Equifax’s 2017 data breach impacted nearly 150 million consumers, exposing data from Social Security numbers and tax information to email addresses and driver’s licenses. Companies like Uber, eBay and Target have also experienced recent hacks. In 2018, Facebook CEO and founder Mark Zuckerberg testified before the U.S. Congress regarding the misuse of data collected on 87 million Facebook users by Cambridge Analytica.
In today’s hyper-connected and highly digital world, we frequently trade our personal information for products, services and even convenience. The technology we use and the brands we love have become such an integral part of daily lives, but compromised data and accounts have left consumers feeling vulnerable and betrayed.
Consumers are demanding transparency, and it’s going to dynamically change the way companies operate. The issue is twofold: Consumers want to know how their information is being used and that they can trust the companies who use it to keep it safe. The goal of GDPR is to hold businesses accountable by creating more transparency between companies and consumers.
It’s also changing the way businesses operate. Now companies will have to be more critical of how they use and monetize consumer data. GDPR marks a revitalization in data protection laws, replacing the Data Protection Direction of 1995. A lot has changed since the year of the first flip phone. There’s a huge chasm between what companies could do with data then versus now, so this new legislation will better align with today’s data processing capabilities.
Most importantly, it gives consumers stronger control over their data. In our increasingly globalized society, this is the new standard. We believe privacy is important and trust is key to a successful business. That’s why we want to make sure you’re prepared.
This article originally appeared on the Nerd’s Eye View at https://www.kitces.com/blog/gdpr-compliance-rules-financial-advisors-digital-marketing-data-controller.