Preparing for the General Data Protection Regulation (GDPR)

19 July 2018
The new GDPR rules came into effect on 25 May 2018 and aim to strengthen data protection for customers, giving them more control over their personal information.

What is GDPR?

In a nutshell, GDPR will change how businesses handle their customers’ personal information. It will also give customers more say over how their data is used and stored.

How we’re getting ready

We’ve pulled together experts from across the Royal London Group and created a Data Governance project team to tackle the GDPR changes.

What we’re doing

We’re preparing for GDPR by:

  • amending our new business material and processes, for example, application forms, welcome packs and online service

What we’ve done so far

The main changes made to both the documents were:

  • Highlighting that both Royal London and you are independent data controllers for our mutual customers.
  • Being clear we rely on the legitimate interest basis when using your personal information, for example to contact you with offers, promotions and information about products and services which may be of interest to you and your clients.
  • Reminding you that if we provide you with customer’s personal data you should make sure you only use it for activities you have a lawful basis for.
  • Signposting you to the new customer privacy notice that you’ll need to provide to your customers when they place business with us.
  • Removing the data processor clauses as both Royal London and you are independent data controllers.
  • Highlighting the obligations of Royal London and you where there is a subject access request or if there is a personal data breach which may affect the other party.
  • Providing contact information for our Data Protection Officer.
  • Adding and changing some of the defined terms used.

There were also a handful of changes unrelated to GDPR made to the pensions Terms of Business document:

  • Changes to the money laundering regulations referenced.
  • Removing references to consultancy charges from AE schemes.
  • Stating we reserve the right to restrict the maximum adviser charge we will facilitate.

We’ve updated our Privacy Notice for customers to explain:

  • what we do with their personal information
  • who we share it with
  • where we get it from
  • the legal reasons for using it
  • their rights and how they can take action, and
  • what the retention periods are – for example how long their personal information can be kept.

Customers can read our full Privacy Notice by visiting

How we’re protecting your information

Our adviser Privacy Notice explains how we use your own personal information and what your rights are. This will be available on our website from 25 May.

Roles and responsibilities

GDPR applies to ‘data controllers’ and ‘data processors’. The diagram below explains the difference between ‘data controllers’ and ‘data processors’ and our responsibilities under both roles:

Data controller

Data controller

The data controller determines the means and purpose of processing personal information. They can use a data processor to provide expertise, but the data controller has the final say in what happens with this personal information.

Data processor

Data processor

The data processor is responsible for using personal information in line with instructions from the data controller.

Royal London hallmark

A Royal London example

Both you and Royal London are joint, independent data controllers.

Royal London is responsible for making sure they’re clear and upfront about how they use personal information. They have a legal basis to share data with you.

You’re also responsible for making sure you’re clear and upfront about how you use personal information. You have a legal basis to share data with us - for example when you’re applying for a new product on behalf of your customer we need certain personal information to process the application.

What you need to do

Here are some of the things you need to consider as part of your own GDPR requirements:

  • Check the personal information you hold - where did it come from? Who are you sharing it with?
  • Keep records of your data processing activities - if you've shared inaccurate data with anyone, let them know so they can update their records.
  • Explain to your clients how you process their personal data - do you have a Privacy Notice to explain this?
  • Review and update your business material and processes - are your policies and privacy notices up to date and compliant?
  • Change the way you deal with data requests - how will you respond to requests from clients to see a copy of the information you hold about them? You now need to respond within one month.
  • Be prepared to deal with data protection breaches - put clear policies and procedures in place so you can react quickly. You have 72 hours to notify the regulator.
  • Check you have retention periods for all personal information - you need to be clear how long you'll hold information for and delete anything you no longer need.
  • Check you've got a genuine reason for processing personal information - you must meet at least one of the GDPR's six 'legal bases' before you can legally process customer information.

Staying compliant?

As mentioned in our updated Terms of Business, we’re both responsible for our own compliance with the data protection legislation. However, we’ve noticed that some advisers are using public email providers such as Google. In this instance, we wanted to let you know that the email provider would be classed as a Data Processor under GDPR, so you should have the standard GDPR terms in your contract with them.  Where you provide us with such an email address, we’re presuming that you have such agreements in place.

Both you and Royal London are independent data controllers. We’re legally required to make sure we have a legal basis for sharing data with you and we’re responsible for making sure we’re clear on how we use customers' personal information – in GDPR terms it’s called being ‘transparent’.

You’re also responsible for having a legal basis for sharing data with us and being ‘transparent’. For example - when you send us a new business application.

You’ll find everything you need to know on the website. To get you started, our 'What you need to do' section above lists some of the things you need to consider.

We keep customers’ personal information for as long as it’s needed, providing we’re still using it for the same reasons we collected it. We also need to comply with regulatory requirements, meaning by default we will keep personal information for seven years after our relationship with your client has ended. Information can sometimes be kept for longer than seven years.

Our Privacy Notice explains more about this.

Under the new GDPR rules there are legal bases that can be used for marketing, one of those is gaining customer consent, another is ‘legitimate interests’.

Legitimate interest is where a company needs to demonstrate a valid reason for using personal information.

Because Royal London is using legitimate interests for marketing, we don’t ask customers to consent to us sending marketing communications. Our Privacy notice explains why.

However, customers have the right to object to us using their personal information by ticking a marketing ‘opt out’ box in our applications forms.

How can I get more information?

You can find a full list of your adviser responsibilities and more information on GDPR by visiting

This website is intended for financial advisers only and shouldn't be relied upon by any other person. If you are not an adviser please visit

The Royal London Mutual Insurance Society Limited is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The firm is on the Financial Services Register, registration number 117672. It provides life assurance and pensions. Registered in England and Wales number 99064. Registered office: 55 Gracechurch Street, London, EC3V 0RL.