GDPR what is it?
If you’re not up to speed on the forthcoming GDPR regulation to be in place on the 25th May 2018 please read our first GDPR article. Should you be worried?
But what should you do next?
Step 1: Raising awareness in your firm
Get a team together involving compliance, HR and key decision makers. A representative from IT is also required as you will need to look at your IT systems and what data they hold. However, resist the temptation to just throw the problem at IT, this is a business opportunity not just an IT one.
For the first meeting, ask your team to consider what personal data you hold, where it came from, where it’s currently stored and the organisations you share it with. Examples of systems to consider are as follows –
- Your back office (desktop or in the cloud) and connected systems such as cash-flow planning, risk-profiling,
- Sales database (if this is different from your back office).
- Marketing Database (Leads etc).
- Payroll and HR systems.
- Email systems and other systems you use to communicate with clients which may include online chat systems such as WhatsApp, Facebook, LinkedIn, twitter.
- Microsoft Office and other files on servers, desktops, laptops, back-ups etc.
- Platforms and providers that you deal with.
- Accounting systems.
Don’t forget, you don’t only hold personal data on your clients, you also need to consider the personal data on your prospects, staff and suppliers.
At the meeting, nominate your Data Protection Officer and their first task is to pull together all the personal data you hold into the key categories –
Clients and prospects
You probably have permission to hold personal data on your clients and staff but you may not have any agreement in place with prospects and suppliers. If you do a lot of marketing, your prospect list and how you get personal data on prospects should be a separate project on its own.
Step 2: Consider why and how you are holding personal data
First the why …
Do you have any lawful basis to hold and process the data? If you don’t have a reason to hold the data it is best to return it or destroy it. Document this process, setting out the reasons for the decision.
then the how …
Any data you do store needs to be relevant and accurate. You need a process to keep it up to date and ensure it is protected and most importantly you need to document this as it will help you demonstrate compliance.
Step 3: Implement system changes to secure your personal data
The personal data you hold needs to be protected. Get it off email. The GDPR states that the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. This is not compatible with emailing personal data.
Also, consider your existing systems. Some systems such as your back office may have been written many years ago as a desktop application using an unencrypted Microsoft Access or SQL Server database. Worryingly many of these systems can now be accessed through the web, think about whether the data on these systems is fully encrypted.
As a data controller, you will need to approve the third-party systems you use for storing personal data and make sure they have adequate controls and procedures in place for detecting and reporting data breaches regarding your personal data.
Take time to think about how you will comply with the following requirements –
1. Subject access requests
You have one-month to comply with a request by an individual to have details of all the information you hold on them. In most cases, you cannot charge for this so the number of requests is likely to increase dramatically. Most importantly, you need a process in place to be able to verify the identity of the person making the access request and that they are legally entitled to the data.
2. Data access
Where possible, you should be able to provide remote access to a secure system which can provide your clients and staff with direct access to their personal data.
3. Data portability
Clients have the right to request the data you hold as a data controller (of which you are almost certainly one). You need to provide their personal data in a structured commonly used and machine-readable form (probably CSV, Excel or XML). Personal data could well be stored on attached documents and to comply you will also need to make these available for the client in a suitable format such as PDF.
4. Data breach impact assessment
There is a legal requirement to carry out a privacy impact assessment where there is processing of highly sensitive data, which is most of the stuff you hold. You need to have procedures in place to detect data breaches and in most cases, will need to report these to the ICO and the individuals affected. Failure to notify can result in a fine in addition to the fine for the breach itself.
GDPR requirements can most easily be covered by implementation of a client and staff portal for communications. A portal will provide you with the ability to share important financial information in a protected, ring-fenced environment. Secure messaging, document sharing, privacy controls, subject access and data portability can all be covered easily by providing a client dashboard.
Remember, it is as important to do this for staff as it is for your clients. No more emailing pay-slips, P60s, fact-finds, valuations etc. Put it all behind a firewall.
Step 4: Review your privacy statements
Most importantly, don’t force the client to read complex legal documents regarding privacy. Keep it simple and straight-forward for the client to control the use of their personal data. If there is a lot of information to show then consider the use of technology such as implementing a privacy dashboard to allow the client to control their privacy settings against individual data items.
A quick overview of the information you need to include in your privacy notice is available at http://www.linklaters.com/Insights/Pages/General-Data-Protection-Regulation-survival-guide.aspx (Page 32). This survival guide from Linklaters is a very useful summary of the new GDPR regulations.
To download the GDPR regulation in full follow the link below –
Step 5: Communications
You will need to communicate with individuals to make them aware of the data you hold, how long you hold it for and for what purposes you are going to use the data and seek positive approval for you to use the data.
You need to give the individual the right to –
- agree that you can hold the data on their behalf.
- notify you of any changes to the data.
- request that you don’t hold some of the data.
- opt-out completely.
You will need to make individuals aware of any consequences to the services you deliver if they object to you storing their personal data but you do need to comply with their requests.
Many advisers also hold personal data on behalf of their clients’ children. The GDPR sets the age when a child can give their own consent to processing their data at 16. If a child is younger then you will need to get consent to hold the child’s data from a person holding ‘parental responsibility’.
Individuals should be made aware of their right to complain to the ICO if they think there is a problem with the way you are handling their data. The information you send to them needs to be provided in concise, easy to understand and clear language.
Alternative step 1: Give moneyinfo a ring and we’ll help you with GDPR
You need a strategy in place for dealing with the implications of GDPR and it’s likely there will be several technology decisions you will need to make to comply with the regulations.
At moneyinfo we can help you with your GDPR strategy, planning and implementation whilst protecting your existing investment in IT. The moneyinfo client portal connects with your current systems, platforms and providers to allow your clients to access all the information you hold on them and once in moneyinfo, we can provide this data in a portable XML format for your clients.
moneyinfo gives clients control over their privacy settings to decide what they are happy to share and with whom and helps resolve the issues of incorrect or out-of-date data. We provide secure two-way communication between the adviser and client including push notifications on mobile. Clients can access their information on all the devices they use including smartphone, tablet and pc. All this is delivered under your brand including branded apps for apple and android devices.
moneyinfo gives your clients complete financial peace of mind, knowing their data is protected, their privacy controlled and their adviser is on the ball when it comes to their data security.
Security, privacy & portability: we’ve got GDPR covered for you.
Article by Tessa Lee
Tessa Lee is managing director of moneyinfo limited and has 25 years’ experience working with advisers and adviser technology. First as an IFA administrator, then head of product management at 1st software (now IRESS) before starting her own FinTech business, FinQS, which was acquired by moneyinfo in 2011. Tessa was appointed managing director of moneyinfo in April 2017.
About moneyinfo limited
At moneyinfo we work with adviser firms in wealth management and workplace to develop a complete digital client relationship. We provide clients secure access to their entire financial life including their investments, pensions, savings, property, insurances, banking, credit cards and mortgages with full control over the privacy of their personal data.