For those of us who have been working on this with regulators and government for some time, the structure and implications of the new data protection laws are well known. Yet on my travels and discussions with advisers around the UK at conferences and industry events, things do not appear to be that clear or well understood.
This is understandable given the raft of other regulation on the horizon, and having to keep up with this alongside the daily task of serving clients.
The General Data Protection Regulation (GDPR) becomes effective on 25 May 2018, and merely updates existing legislation laid down in the Data Protection Act 1998. This latest update brings the rules into the internet age and, more importantly, puts clients in control of their data.
What steps should advisers take now?
The first obvious action is to raise awareness within your firm.
Get a team together involving compliance, HR, key decision makers and IT. You need to understand what personal data you hold, that is, data that can be used to identify someone. You also need to understand where the data came from, where it’s currently stored and the organisations you share it with. This will include your back office and connected systems such as cashflow planning, risk profiling, your sales and marketing databases, plus your payroll and HR systems.
You'll also need to consider email and the other systems you use to communicate with clients, including online chat systems such as WhatsApp, Facebook, LinkedIn and Twitter.
Data protection also needs to look at the platforms, fund groups and life companies you deal with and the mobile devices your staff use, both in the office and when out seeing clients. Don’t forget, you don’t only hold personal data on your clients, you also need to consider the personal data on your prospects, staff and suppliers.
Only larger firms are formally required to appoint a data protection officer, but it is worth ensuring someone in the business has responsibility for compliance with GDPR. Their first task is to pull together all the personal data you hold into key categories, such as clients and prospects, staff and suppliers.
You probably have permission to hold personal data on your clients and staff but you may not have any agreement in place with prospects and suppliers. If you do a lot of marketing, your prospect list and how you get personal data on prospects should be a separate project on its own.
The question you need to ask yourself is why are you holding personal data? Do you have a lawful basis to hold and process this? If you don’t, it's best to return it or destroy it. Document this process, setting out the reasons for the decision. Any data you do store needs to be relevant and accurate. You also need a process to keep it up to date and ensure it is protected.
The GDPR states data protection measures need to be taken to ensure a level of security appropriate to the risk. So beware just emailing personal data and carrying it around unprotected and unencrypted. That also applies to back office and server databases. Worryingly, many of these systems can now be accessed through the web, so think about whether the data on these systems is fully encrypted.
Factors to considerSubject access requests
You have one month to comply if an individual requests details of all the information you hold on them. Most importantly, you need a process in place to verify the identity of the person making the access request and that they are legally entitled to the data.
Under the GDPR, individuals can sue purely for distress caused by a data protection breach. There is no longer a requirement to show they have suffered financial loss although, if they have, this could increase the amount of damages to which they may be entitled.
There can be no cost attached to the individual for submitting a subject access request or for receiving the response. Should they require further copies of the personal data requested, a "fair and reasonable" administration fee can be charged. Under the existing rules, individuals can be charged £10 to obtain their data. A similar fee may be fair and reasonable in the event of a request for extra copies.
This is a regulation geared towards upholding the rights and privacies of the individual, so firms must treat any requests accordingly.Data access
Where possible, you should provide remote access to a secure system to give clients and staff direct access to their personal data.Privacy impact assessment
Keep it simple and straightforward for the client to control the use of their personal data. If there is a lot of information to show, then consider using technology to make it easier. This could mean setting up a privacy dashboard to allow the client to control their privacy settings against individual data items.
You will need to communicate with clients to make them aware of the data you hold, and for how long and for what purposes you are going to use it for, as well as getting positive approval for you to use the data. Clients are now in control, and they have the right to agree that you can hold the data on their behalf, notify you of any changes to the data, request that you don’t hold some of the data or opt-out completely.
You will need to make individuals aware of any consequences to the services you deliver if they object to you storing their personal data, but you do need to comply with their requests. However, there is the complication of legal requirement and compliance. So, if they are an existing client, you need to point out they cannot exercise the 'right to be forgotten' as you are compelled to hold personal data for legal and compliance reasons.
Advisers can legitimately reject a 'right to erasure' request if the client has entered a formal agreement with the firm, on the grounds of needing to defend any future potential legal claim. A signed client agreement should be regarded as a formal agreement, even if the advice given was verbal and no product contracts were entered into. This should be in a clearly defined section of the agreement and not hidden.
The bottom line is the GDPR requires action. Doing nothing with data is not an option if advice firms are to comply with the new rules. Firms need to quickly establish a data management policy that balances the rights of clients and staff against the firm’s right to meet regulatory requirements or potentially defend a legal claim.
Individuals should be made aware of their right to complain to the ICO if they think there is a problem with the way you are handling their data. The information you send to them needs to be provided in concise, easy to understand and clear language.
The GDPR requires you to demonstrate you comply with the principles and states explicitly that this is your responsibility. So it's best to show reasonable steps have been taken towards avoiding a breach, or ensuring data accuracy. That way it's far more likely the ICO will adopt a sympathetic stance.
As we move ever closer to 25 May, we will continue to get alterations and updates right up to and possibly beyond the implementation date. The best reference point for anything to do with GDPR is the ICO website which has an extensive catalogue of guides to help you comply with the rules.To download the Nucleus white paper GDPR: A guide for financial advisers, prepared in partnership with Phil Young of Zero Support, click here