GDPR Policy
Regulatory requirements
One of the threshold conditions that the Firm is required to meet is appropriate resources. Resources in this context refers to the Firm’s systems and controls.
Principle 3 of the FCA’s Principles for Businesses requires a firm to control its affairs responsibly and effectively, with adequate risk management systems. This principle is supplemented by the FCA’s conduct rules which requires claims management firms to have systems and controls in place to ensure that any lead generators that generate leads to the Firm obtain the leads in compliance with FCA rules, the GDPR and PECR.
Due diligence process
Prior to obtaining leads from a third party for the first time the Firm will check the FCA register to establish whether the lead generator is FCA authorised and has the correct permission.
- 1. Prior to obtaining leads from a third party for the first time the Firm will check the FCA register to establish whether the lead generator is FCA authorised and has the correct permission.
- a. If the lead generator is not authorised, the Firm will establish whether the lead generator is carrying out unregulated activity or is exempt from FCA authorisation by confirming the nature of the information that each lead will contain.
- b. If the leads will only contain profile data (i.e. non-claims specific data), the Firm will establish that FCA authorisation is not required and will proceed with its due diligence check.
- 2. The Firm will check the ICO register to establish whether the lead generator is a registered data controller.
- 3. The Firm will carry out an internet check to ascertain whether the lead generator has been subject to regulatory enforcement action or has received negative reviews. The Firm will seek confirmation and, where appropriate, obtain details relevant to the lead generator’s regulatory history. This will include checking whether the lead generator has previous been subject to regulatory enforcement action.
- 4. The Firm will establish how the lead generator obtains leads.
- a. If the lead generator obtains leads from websites, the Firm will obtain details of the websites and review them. The Firm will obtain details about how the lead generator drives traffic to its website.
- b. If the lead generator obtains leads from telemarketing, the Firm will review its call script, TPS screening process and suppression process.
- c. If the lead generator obtains leads from another third party, the Firm will review its due diligence process.
- d. If the lead generator obtains leads from electronic marketing or seeks out potential claims by way of telemarketing, the Firm will review its marketing content, consent statements and consent mechanisms.
- e. If the Firm will use the leads to market its claims management services by way of telemarketing or electronic marketing, the Firm will review the lead generator’s marketing content, consent statements and consent mechanisms.
- 5. The Firm will check the lead generator’s consent mechanism(s) and statement(s) to check that the lead generator lawfully passes leads to the Firm.
Frequency
The Firm will carry out a due diligence check on a lead generator before it accepts leads from that generator for the first time.
The Firm will refresh its due diligence check on a lead generator at appropriate intervals depending on the frequency with which the lead generator supplies leads to the Firm.
Notification
The Firm will notify the FCA if a lead generator is not authorised and the Firm is not satisfied that the lead generator is carrying out unregulated activity or is exempt from authorisation. The Firm will submit a notification to the FCA using the form in SUP 15 Annex 4R.
Record keeping
The Firm will maintain a record of its due diligence checks within its Due Diligence Form.
Review
The Firm will conduct a review of this policy on an annual basis, or sooner, if triggered by internal changes (e.g. business process changes) or external changes (e.g. changes in law).