GDPR - What to do and in what order
GDPR what is it?
If you’re not up to speed on the forthcoming GDPR regulation to be in place on the 25th May 2018 please read our first GDPR article. Should you be worried?
http://www.moneyinfo.com/news/GDPR1
But what should you do next?
Step 1: Raising awareness in your firm.
Get a team together involving compliance, HR and key decision makers. A representative from IT is also required as you will need to look at your IT systems and what data they hold. However, resist the temptation to just throw the problem at IT, this is a business opportunity not just an IT one.
For the first meeting, ask your team to consider what personal data you hold, where it came from, where it’s currently stored and the organisations you share it with. Examples of systems to consider are as follows –
- Your back office (desktop or in the cloud) and connected systems such as cash-flow planning, risk-profiling,
- Sales database (if this is different from your back office).
- Marketing Database (Leads etc).
- Payroll and HR systems.
- Email systems and other systems you use to communicate with clients which may include online chat systems such as WhatsApp, Facebook, LinkedIn, twitter.
- Microsoft Office and other files on servers, desktops, laptops, back-ups etc.
- Platforms and providers that you deal with.
- Accounting systems.
Don’t forget, you don’t only hold personal data on your clients, you also need to consider the personal data on your prospects, staff and suppliers.
At the meeting, nominate your Data Protection Officer[1] and their first task is to pull together all the personal data you hold into the key categories –
- Clients and Prospects
- Staff
- Suppliers
You probably have permission to hold personal data on your clients and staff but you may not have any agreement in place with prospects and suppliers. If you do a lot of marketing, your prospect list and how you get personal data on prospects should be a separate project on its own.
Step 2: Consider why and how you are holding personal data.
First the why …
Do you have any lawful basis to hold and process the data? If you don’t have a reason to hold the data it is best to return it or destroy it. Document this process, setting out the reasons for the decision.
then the how …
Any data you do store needs to be relevant and accurate. You need a process to keep it up to date and ensure it is protected and most importantly you need to document this as it will help you demonstrate compliance.
Step 3: Implement system changes to secure your personal data.
The personal data you hold needs to be protected. Get it off email. The GDPR states that the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. This is not compatible with emailing personal data.
Also, consider your existing systems. Some systems such as your back office may have been written many years ago as a desktop application using an unencrypted Microsoft Access or SQL Server database. Worryingly many of these systems can now be accessed through the web, think about whether the data on these systems is fully encrypted.
As a data controller, you will need to approve the third-party systems you use for storing personal data and make sure they have adequate controls and procedures in place for detecting and reporting data breaches regarding your personal data.
Take time to think about how you will comply with the following requirements –
1. Subject access requests
You have one-month to comply with a request by an individual to have details of all the information you hold on them. In most cases, you cannot charge for this so the number of requests is likely to increase dramatically. Most importantly, you need a process in place to be able to verify the identity of the person making the access request and that they are legally entitled to the data.
2. Data access
Where possible, you should be able to provide remote access to a secure system which can provide your clients and staff with direct access to their personal data.
3. Data portability
Clients have the right to request the data you hold as a data controller (of which you are almost certainly one). You need to provide their personal data in a structured commonly used and machine-readable form (probably CSV, Excel or XML). Personal data could well be stored on attached documents and to comply you will also need to make these available for the client in a suitable format such as PDF.
4. Data breach impact assessment
There is a legal requirement to carry out a privacy impact assessment where there is processing of highly sensitive data, which is most of the stuff you hold. You need to have procedures in place to detect data breaches and in most cases, will need to report these to the ICO and the individuals affected. Failure to notify can result in a fine in addition to the fine for the breach itself.
GDPR requirements can most easily be covered by implementation of a client and staff portal for communications. A portal will provide you with the ability to share important financial information in a protected, ring-fenced environment. Secure messaging, document sharing, privacy controls, subject access and data portability can all be covered easily by providing a client dashboard.
Remember, it is as important to do this for staff as it is for your clients. No more emailing pay-slips, P60s, fact-finds, valuations etc. Put it all behind a firewall.
Step 4: Review your privacy statements.
Most of your privacy notices are going to need updating and following the rules is complex as the regulation requires you to ensure your privacy notice is concise, transparent, intelligible and easily accessible whilst greatly expanding the information you need to include. One-way round this is to layer the information so that you provide a quick and easy to follow summary of the important or unusual uses of their personal data and a link to the full privacy policy if they want the information in detail.
Most importantly, don’t force the client to read complex legal documents regarding privacy. Keep it simple and straight-forward for the client to control the use of their personal data. If there is a lot of information to show then consider the use of technology such as implementing a privacy dashboard to allow the client to control their privacy settings against individual data items.
A quick overview of the information you need to include in your privacy notice is available at http://www.linklaters.com/Insights/Pages/General-Data-Protection-Regulation-survival-guide.aspx (Page 32). This survival guide from Linklaters is a very useful summary of the new GDPR regulations.
To download the GDPR regulation in full follow the link below –
http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN
Step 5: Communications
You will need to communicate with individuals to make them aware of the data you hold, how long you hold it for and for what purposes you are going to use the data and seek positive approval[2] for you to use the data.
You need to give the individual the right to –
- agree that you can hold the data on their behalf.
- notify you of any changes to the data.
- request that you don’t hold some of the data.
- opt-out completely.
You will need to make individuals aware of any consequences to the services you deliver if they object to you storing their personal data but you do need to comply with their requests.
Many advisers also hold personal data on behalf of their clients’ children. The GDPR sets the age when a child can give their own consent to processing their data at 16. If a child is younger then you will need to get consent to hold the child’s data from a person holding ‘parental responsibility’.
Individuals should be made aware of their right to complain to the ICO if they think there is a problem with the way you are handling their data. The information you send to them needs to be provided in concise, easy to understand and clear language.
Alternative step 1: Give moneyinfo a ring and we’ll help you with GDPR.
You need a strategy in place for dealing with the implications of GDPR and it’s likely there will be several technology decisions you will need to make to comply with the regulations.
At moneyinfo we can help you with your GDPR strategy, planning and implementation whilst protecting your existing investment in IT. The moneyinfo client portal connects with your current systems, platforms and providers to allow your clients to access all the information you hold on them and once in moneyinfo, we can provide this data in a portable XML format for your clients.
moneyinfo gives clients control over their privacy settings to decide what they are happy to share and with whom and helps resolve the issues of incorrect or out-of-date data. We provide secure two-way communication between the adviser and client including push notifications on mobile. Clients can access their information on all the devices they use including smartphone, tablet and pc. All this is delivered under your brand including branded apps for apple and android devices.
moneyinfo gives your clients complete financial peace of mind, knowing their data is protected, their privacy controlled and their adviser is on the ball when it comes to their data security.
Security, Privacy & Portability: we’ve got GDPR covered for you.
GDPR Events (Jan/Feb 2018)
You should have heard of the upcoming GDPR regulations that are replacing the Data Protection Act from May 2018. We’re here to help you understand the steps you need to take to comply with the new rules and demonstrate how technology can help you meet those requirements.
The moneyinfo team are hitting the road in 2018 with a series of workshops to show how you can best address the opportunities and challenges that GDPR presents. We are joined by guest speaker, Chris Davies, the CEO and founder of Engage Insight and RegTech platform Model Office, a financial regulation technology consultancy focused on compliance and strategic change management solutions. Chris is an expert in all things to do with FCA regulation, and GDPR & MIFID II are his hot topics of conversation at present.
Starting in the New Year there are only a few months left to make sure your firm is compliant and the fines are eye watering if you choose to nothing. Given the ISA season will be quickly on us, we’ve chosen to run the workshops early in the New Year so you can get started on your GDPR project before you get distracted with the financial year end.
The GDPR workshop will cover the following key topics:
- The 12 key steps to GDPR compliance
- What to do, how to do it and in what order
- Why email is your worst nightmare
- The dos and don’ts for keeping data safe
- Managing client privacy and addressing data quality issues
- Data Portability and subject access controls
Following the session, you’ll be much better placed to tackle GDPR and we’ll leave you with an action plan of what needs doing and the best order to do it in. We’ll show you how technology can help and the main issues that will lead you into trouble. There’s no cost and you get CPD points as an added incentive.
Book your place today and get your business up to speed.
Visit our Eventbrite pages for more information on upcoming events around the UK:
- London - 23rd Jan 2018
- Birmingham - 24th Jan 2018
- Glasgow - 1st Feb 2018
- Bristol - 8th Feb 2018
- Leeds - 15th Feb 2018
Article by Tessa Lee.
Tessa Lee is managing director of moneyinfo limited and has 25 years’ experience working with advisers and adviser technology. First as an IFA administrator, then head of product management at 1st software (now IRESS) before starting her own FinTech business, FinQS, which was acquired by moneyinfo in 2011. Tessa was appointed managing director of moneyinfo in April 2017.
About moneyinfo limited.
At moneyinfo we work with adviser firms in wealth management and workplace to develop a complete digital client relationship. We provide clients secure access to their entire financial life including their investments, pensions, savings, property, insurances, banking, credit cards and mortgages with full control over the privacy of their personal data.
To find out more please visit our website www.moneyinfo.com or call us on 03303 600 300. We’d love to hear from you.
[1] You should appoint someone in your organisation, or an external adviser, who has the knowledge, support and authority to take responsibility for your data protection compliance.
[2] Some points to note: consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in i.e. it cannot be inferred from silence, pre-ticked boxes or inactivity. It must also be separate from other terms and conditions, and you will need to have simple ways for people to withdraw consent.
You are not required to refresh all existing DPA consents in preparation for the GDPR, but if you rely on individuals’ consent to process their data, make sure it will meet the GDPR standard on being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn.