If we issue a privacy notice that asks for consent to process data (tick box), and the data subject doesn't get back to us, can we still send out our monthly newsletter for example. For the avoidance of doubt the data subject will be an active client with an active service proposition in place (ie will be invited for a review either quarterly, half-yearly or annually depending on client category).
Yes; as you will send their newsletter under legitimate interests marketing. You should also read the 3rd GDPR consultation paper to get a full understanding of what and why.
In terms of accurate personal data, does this relate to all data on a factfind (aside from name, address,dob, nino, health details), what if particular pieces of policy data aren't obtained on a Factfind, in these instances does a data subject have a right to complain/rectification under GDPR. Having had mixed feedback on this from various sources,general feeling is that this is basic KYC and would be FCA and FOS territory in a complaint case as wrong or lack of data affects advice and isn't a breach of security so wouldn't be GDPR territory.
GDPR only pertains to the data which you are processing. If you do not obtain a certain set of data, then there is nothing to complain about from the perspective of the data subject (your client/prospective client). The data subject will always have a right to rectification though, which could include requesting you update the information which you hold on them, including the insertion of further information which is currently not held by you.
This was taken from the ICO: "d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay"
GDPR does not supersede nor interfere with your obligations as laid out by FCA rules. So, if you have gaps in client data that leads to non-compliance with FCA rules, then this indeed would be FCA territory. GDPR has no bearing on the FCA rules with which you must comply.
I hope that helps.
Thanks Dan, that helps.
No problem, let me know if you need anything else. Here's the ICO link: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/principles/ Best regards, Dan.