GDPR - The Technology Solution
If you’ve not yet heard of the GDPR then please look at our earlier articles on how to plan for the GDPR in your organisation on www.moneyinfo.com/news. The drop-dead date is 25th May 2018 and as an adviser firm there’s a lot to do to ensure you can comply with the new rules.
Covering the requirements for GDPR are complex but made much easier if you have a portal such as moneyinfo for your clients and staff. This is because a portal can provide your clients and staff with access to the personal data you hold on them and give them the opportunity to control their privacy settings (i.e. who can see what data) as well as providing you with a secure messaging environment to keep important data off email. What’s more, implementing moneyinfo for your business is much easier than you might think and we’ve designed it to complement and enhance your existing investment in IT, cleaning up your data and re-energising your back office.
In this article, I am going to be discussing both general portal functionality alongside the specific functionality in moneyinfo that can help you with the GDPR. Please bear in mind that some of the functionality may not be available via your existing portal (if you have one).
- Quality of the data.
Clients have a right to see the personal data you hold on them and you need to have a method for keeping this data up to date. One of the issues firms voice to us regularly, is that the quality of the data in their back-office system is suspect. Under GDPR holding sensitive personal data and not having a comprehensive process for ensuring it is up to date, could lead to significant fines.
At moneyinfo, we take the data from your back office, overlay it with up to date data from your platforms and providers and then keep this up to date for you daily. You outsource the hassle of data management to us. This not only ticks your GDPR requirement, it gives you a clean and up to date database which will provide significant benefits to your business on an ongoing basis.
- Data Access - Complementing your existing IT investment.
One of the recommendations in the GDPR is that clients should if possible be given access to a secure portal where they can see the data you hold on them. This will limit the need for them to make a subject access request except for specific queries. Having access to the data online means they can understand the data you hold on them and check it’s up to date, notifying you of issues before issues occur.
An individual has the right to see all the personal information you hold on them and this can be difficult to achieve from any and all of your existing systems. It is almost certainly easier to implement a modern portal that can pull together all the information on a client from a variety of systems rather than modifying all of your existing systems to achieve the job and only satisfying one part of the GDPR.
You will have lots of current systems that are holding personal data and you will need to consider all these for GDPR compliance. Systems to take account of are your back office/CRM system, cash-flow planning, risk-profiling, quotes engines, sales & marketing databases, Payroll, HR and accounting systems, email and other systems you use to communicate with clients which may include online chat systems such as WhatsApp, Facebook, LinkedIn, twitter. Microsoft Office and other files on servers, desktops, laptops, back-ups etc and platforms and providers that you deal with.
All these can contain personal data on clients, prospects, staff and suppliers. You will need to consider whether the data can be legally held by you and communicate how and why you process it on behalf of the individuals concerned and how you ensure it is kept up to date.
moneyinfo can display the data you hold on individuals, aggregating data from your existing systems and display it to the individual in an easy to digest dashboard format. Individuals can control their data, notifying you of inaccuracies or out-of-date data and using detailed privacy controls, directly control who can view what data about them. It also uses simple to follow icons to display how accurate the data is and when it was last updated.
Will you still need to audit your existing systems? Yes, but if the current data you process is in moneyinfo (aggregated from your back office, platforms and providers) then the requirement is more easily covered.
- Keeping Data Safe.
Secure Messaging and two-way document sharing.
Most portals deliver secure messaging and elements of document sharing. Secure messaging creates an email type environment behind a firewall but messages can only be sent between the client and adviser thereby removing one of the pitfalls of email, sending information to the wrong client or a third-party because of an incorrectly addressed email. Email is also relatively easy to hack as it is generally unencrypted and can be intercepted in transit.
Secure message systems generally contain an audit trail of messages which is imperative for compliance. Whilst most CRM systems can store email trail of correspondence, they require users to actively store an incoming email against the client. A good secure messaging system will do this automatically.
Document sharing enhances the secure messaging to allow documents (best restricted to PDF format so they can be read in the future) to be sent as part of the secure message. For many systems the document sharing is one-way only i.e. you can deliver documents to your clients but your client can’t send you documents or store their own important financial documents securely in your portal. Two-way document sharing is an excellent feature for your clients and increases the feeling that the portal is for their benefit rather than just yours.
It must be mobile.
To fully replace email communications with secure messaging you need to ensure your messaging facility fully supports mobile access to messages.
If you send your client a secure message and the only way they can access it is via their PC, you will not get sufficient client adoption to remove communications from email. We all increasingly use our phones for more and more of our communications and if you send your client a message, it should pop up a notification and allow them to respond easily on their phone just as they would for email.
Phones are secure, the device can be tied to the account meaning secure login is much easier with just a pin or other authentication such as finger-print, retina scanning etc. to enable multi-factor login.
Secure messaging should be as easy as WhatsApp not more cryptic than the Times crossword. Many system providers seem to think making it impossible to use, makes it secure. Wrong. Making it difficult to use, just guarantees your clients won’t use it.
- Subject Access Requests.
If your client portal allows a client to see a superset of all the data you hold on them, then you are limiting the subject access requests to a minimum and these will most likely be relating to a specific event. These should be relatively easy to deal with by a download of the compliance history from your CRM or other systems regarding the specific matter in question. This can be delivered securely via your portal and ensuring it is only available to the client making the request. One of the side effects of the GDPR is that there may be significantly more data access requests and verifying that the recipient is legally entitled to make the request is imperative. Having a secure portal makes this process much safer.
- Data Portability.
moneyinfo’s API allows you access the data within moneyinfo to both update your other systems and provide an individual’s data in a portable format such as XML.
Clients can use moneyinfo to record all their finances not just the bits you manage on their behalf. As some of this data might be sensitive, moneyinfo provides comprehensive privacy controls allowing the client to specify who can see what. This reassures clients you are taking their privacy very seriously and helps encourage them to tell you the whole picture. Further helping you demonstrate your commitment to GDPR and data privacy for your clients.
Doing things in the right order.
Many firms we talk to, think they need to implement a new back-office system, adopt a single platform and migrate all their clients on to it, before they can look at implementing a client portal. With GDPR, implementing a client portal should be the next thing you do, not the last thing you do. It will re-energise your existing IT investment, provide you with clean data for your business and make your clients go ‘wow’. It makes complying with the requirements of the GDPR much easier and demonstrates your commitment to ensuring your clients’ personal data is safe and kept safe at all times.
Make talking to moneyinfo the 1st stage in your GDPR planning, not the last.
A full copy of the GDPR legislation is available at:
GDPR Events (Jan/Feb 2018)
You should have heard of the upcoming GDPR regulations that are replacing the Data Protection Act from May 2018. We’re here to help you understand the steps you need to take to comply with the new rules and demonstrate how technology can help you meet those requirements.
The moneyinfo team are hitting the road in 2018 with a series of workshops to show how you can best address the opportunities and challenges that GDPR presents. We are joined by guest speaker, Chris Davies, the CEO and founder of Engage Insight and RegTech platform Model Office, a financial regulation technology consultancy focused on compliance and strategic change management solutions. Chris is an expert in all things to do with FCA regulation, and GDPR & MIFID II are his hot topics of conversation at present.
Starting in the New Year there are only a few months left to make sure your firm is compliant and the fines are eye watering if you choose to nothing. Given the ISA season will be quickly on us, we’ve chosen to run the workshops early in the New Year so you can get started on your GDPR project before you get distracted with the financial year end.
The GDPR workshop will cover the following key topics:
- The 12 key steps to GDPR compliance
- What to do, how to do it and in what order
- Why email is your worst nightmare
- The dos and don’ts for keeping data safe
- Managing client privacy and addressing data quality issues
- Data Portability and subject access controls
Following the session, you’ll be much better placed to tackle GDPR and we’ll leave you with an action plan of what needs doing and the best order to do it in. We’ll show you how technology can help and the main issues that will lead you into trouble. There’s no cost and you get CPD points as an added incentive.
Book your place today and get your business up to speed.
Visit our Eventbrite pages for more information on upcoming events around the UK:
- London - 23rd Jan 2018
- Birmingham - 24th Jan 2018
- Glasgow - 1st Feb 2018
- Bristol - 8th Feb 2018
- Leeds - 15th Feb 2018
Article by Tessa Lee.
Tessa Lee is managing director of moneyinfo limited and has 25 years’ experience working with advisers and adviser technology. First as an IFA administrator, then head of product management at 1st software (now IRESS) before starting her own FinTech business, FinQS, which was acquired by moneyinfo in 2011. Tessa was appointed managing director of moneyinfo in April 2017.
About moneyinfo limited.
At moneyinfo we work with adviser firms in wealth management and workplace to develop a complete digital client relationship. We provide clients secure access to their entire financial life including their investments, pensions, savings, property, insurances, banking, credit cards and mortgages. We help advisers to service more clients more profitably.
To find out more please visit our website www.moneyinfo.com or call us on 03303 600 300. We’d love to hear from you.
 Article 5(d) – Personal Data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)
 Recital 63 - Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data.
 Article 25: Data protection by design and by default and Article 32: Security of processing
 Article 15: Right of access by the data subject
 Article 20: Right to data portability
 Article 12: Transparent Information, communication and modalities for the exercise of the rights of the data subjects and Articles 13 and 14: Information to be provided.