If you’ve not yet heard of the GDPR then please look at our earlier articles on how to plan for the GDPR in your organisation on www.moneyinfo.com/news. The drop-dead date is 25th May 2018 and as an adviser firm there’s a lot to do to ensure you can comply with the new rules.
Covering the requirements for GDPR are complex but made much easier if you have a portal such as moneyinfo for your clients and staff. This is because a portal can provide your clients and staff with access to the personal data you hold on them and give them the opportunity to control their privacy settings (i.e. who can see what data) as well as providing you with a secure messaging environment to keep important data off email. What’s more, implementing moneyinfo for your business is much easier than you might think and we’ve designed it to complement and enhance your existing investment in IT, cleaning up your data and re-energising your back office.
In this article, I am going to be discussing both general portal functionality alongside the specific functionality in moneyinfo that can help you with the GDPR. Please bear in mind that some of the functionality may not be available via your existing portal (if you have one).
- Quality of the data
Clients have a right to see the personal data you hold on them and you need to have a method for keeping this data up to date. One of the issues firms voice to us regularly, is that the quality of the data in their back-office system is suspect. Under GDPR holding sensitive personal data and not having a comprehensive process for ensuring it is up to date, could lead to significant fines.
At moneyinfo, we take the data from your back office, overlay it with up to date data from your platforms and providers and then keep this up to date for you daily. You outsource the hassle of data management to us. This not only ticks your GDPR requirement, it gives you a clean and up to date database which will provide significant benefits to your business on an ongoing basis.
- Data access - complementing your existing IT investment
One of the recommendations in the GDPR is that clients should if possible be given access to a secure portal where they can see the data you hold on them. This will limit the need for them to make a subject access request except for specific queries. Having access to the data online means they can understand the data you hold on them and check it’s up to date, notifying you of issues before issues occur.
An individual has the right to see all the personal information you hold on them and this can be difficult to achieve from any and all of your existing systems. It is almost certainly easier to implement a modern portal that can pull together all the information on a client from a variety of systems rather than modifying all of your existing systems to achieve the job and only satisfying one part of the GDPR.
You will have lots of current systems that are holding personal data and you will need to consider all these for GDPR compliance. Systems to take account of are your back office/CRM system, cash-flow planning, risk-profiling, quotes engines, sales & marketing databases, Payroll, HR and accounting systems, email and other systems you use to communicate with clients which may include online chat systems such as WhatsApp, Facebook, LinkedIn, twitter. Microsoft Office and other files on servers, desktops, laptops, back-ups etc and platforms and providers that you deal with.
All these can contain personal data on clients, prospects, staff and suppliers. You will need to consider whether the data can be legally held by you and communicate how and why you process it on behalf of the individuals concerned and how you ensure it is kept up to date.
moneyinfo can display the data you hold on individuals, aggregating data from your existing systems and display it to the individual in an easy to digest dashboard format. Individuals can control their data, notifying you of inaccuracies or out-of-date data and using detailed privacy controls, directly control who can view what data about them. It also uses simple to follow icons to display how accurate the data is and when it was last updated.
Will you still need to audit your existing systems? Yes, but if the current data you process is in moneyinfo (aggregated from your back office, platforms and providers) then the requirement is more easily covered.
- Keeping Data Safe
Secure messaging and two-way document sharing
Most portals deliver secure messaging and elements of document sharing. Secure messaging creates an email type environment behind a firewall but messages can only be sent between the client and adviser thereby removing one of the pitfalls of email, sending information to the wrong client or a third-party because of an incorrectly addressed email. Email is also relatively easy to hack as it is generally unencrypted and can be intercepted in transit.
Secure message systems generally contain an audit trail of messages which is imperative for compliance. Whilst most CRM systems can store email trail of correspondence, they require users to actively store an incoming email against the client. A good secure messaging system will do this automatically.
Document sharing enhances the secure messaging to allow documents (best restricted to PDF format so they can be read in the future) to be sent as part of the secure message. For many systems the document sharing is one-way only i.e. you can deliver documents to your clients but your client can’t send you documents or store their own important financial documents securely in your portal. Two-way document sharing is an excellent feature for your clients and increases the feeling that the portal is for their benefit rather than just yours.
It must be mobile
To fully replace email communications with secure messaging you need to ensure your messaging facility fully supports mobile access to messages.
If you send your client a secure message and the only way they can access it is via their PC, you will not get sufficient client adoption to remove communications from email. We all increasingly use our phones for more and more of our communications and if you send your client a message, it should pop up a notification and allow them to respond easily on their phone just as they would for email.
Phones are secure, the device can be tied to the account meaning secure login is much easier with just a pin or other authentication such as finger-print, retina scanning etc. to enable multi-factor login.
Secure messaging should be as easy as WhatsApp not more cryptic than the Times crossword. Many system providers seem to think making it impossible to use, makes it secure. Wrong. Making it difficult to use, just guarantees your clients won’t use it.
- Subject access requests
If your client portal allows a client to see a superset of all the data you hold on them, then you are limiting the subject access requests to a minimum and these will most likely be relating to a specific event. These should be relatively easy to deal with by a download of the compliance history from your CRM or other systems regarding the specific matter in question. This can be delivered securely via your portal and ensuring it is only available to the client making the request. One of the side effects of the GDPR is that there may be significantly more data access requests and verifying that the recipient is legally entitled to make the request is imperative. Having a secure portal makes this process much safer.
- Data portability
moneyinfo’s API allows you access the data within moneyinfo to both update your other systems and provide an individual’s data in a portable format such as XML.
Clients can use moneyinfo to record all their finances not just the bits you manage on their behalf. As some of this data might be sensitive, moneyinfo provides comprehensive privacy controls allowing the client to specify who can see what. This reassures clients you are taking their privacy very seriously and helps encourage them to tell you the whole picture. Further helping you demonstrate your commitment to GDPR and data privacy for your clients.
Doing things in the right order
Many firms we talk to, think they need to implement a new back-office system, adopt a single platform and migrate all their clients on to it, before they can look at implementing a client portal. With GDPR, implementing a client portal should be the next thing you do, not the last thing you do. It will re-energise your existing IT investment, provide you with clean data for your business and make your clients go ‘wow’. It makes complying with the requirements of the GDPR much easier and demonstrates your commitment to ensuring your clients’ personal data is safe and kept safe at all times.
Make talking to moneyinfo the 1st stage in your GDPR planning, not the last.