Make sure your financial advice firm adheres to the GDPR.
There have been lots of news stories about the changes to privacy and data laws that formed part of the new legislation that came into force in the UK recently.
The General Data Protection Regulation (GDPR) is an EU regulation that also affects the UK. It is essentially aimed at protecting individual privacy, and it also covers the way that data is exported digitally beyond borders.
Here are five things that you can check to make sure that your financial advice business is fully compliant with GDPR requirements.
1. Existing clients
The main news story in the headlines about GDPR concerned how many emails everyone seemed to be receiving from companies asking them to confirm their details. These were sometimes clear and transparent, but others weren’t quite so upfront about being part of GDPR compliance.
Essentially, after May 2018, it became law that you needed express consent from existing clients and prospects that you were already in touch with to confirm that they wanted to continue to receive communications. This needed to be in evidential form (i.e. written consent), which is why so many emails were sent out as the deadline loomed.
Technically, after 25 May 2018, even sending requests for permission to stay in contact with clients would be a breach of GDPR rules, as there would be no consent from them to do so. However, there are exceptions, and you can continue communicating if there are contracts ongoing or other necessary “touch points” even without a reaffirmation of consent.
2. Data accuracy
Having permission to stay in touch is only the first step in GDPR compliance, as the bulk of the regulations cover how you handle data that you are given or collect. You need to be sure that you hold the correct information for all clients and prospects that you contact.
Muddled data can lead to mistakes and complications, and when you are offering financial investment advice, any breaches of personal information can have serious consequences. Maintaining accuracy in your records is therefore essential. As a finance professional, you should be no stranger to keeping records up to date, but you might need to look at how your customer relationship management (CRM) system can handle the new stringent levels of detail needed.
Old data needs to be reassessed and perhaps simply backed up to archive or even deleted if not needed. Checking the accuracy of old data can be time-consuming, so it might be easier to ask customers to resubmit their data or give them access to check their own records as part of your own GDPR-compliance programme.
Ultimately, being able to prove that you have taken all the reasonable steps that you can to ensure accurate data collection and storage will help you should the need arise and there is a complaint against you under GDPR regulations.
3. Portability and the right to be forgotten
As part of the moves to balance how data is handled and to give individuals more control, the GDPR rules cover how information is processed and moved from one provider to another.
If someone you hold data on requests a copy, then you must supply it to them without undue delay, which usually means within one month. The information should be provided to them in an easily readable form. This can simply be as a PDF or other commonly shared document protocol that can be easily understood.
Separate from the issue of requests to check the information that you hold on someone, anyone you have had dealings with can request that you forget them, meaning that you will need to delete them and any information attached to their profile in your database.
There are exceptions to this rule, and financial advisers can make use of them. In cases where clients who you have previously advised might in the future have legal recourse on your engagement with them, you are within your rights to refuse a request to be forgotten. However, this only applies to a strict set of circumstances in which you might need the data in the future (i.e. to defend a legal case or similar).
4. Awareness and responsibility
Being aware of your duties and responsibilities under GDPR is key. If a spreadsheet with data on individuals is accidentally sent to the wrong person, then this is a breach of the rules, but it also shows how easily avoidable falling foul of GDPR is.
Making sure that everyone in your business knows their responsibilities are essential, and a culture of “privacy by design” is the aim of the new regime. This means that training and having access to all the relevant documents and procedures is a vital component of compliance. If you can prove to the regulator that you have followed these steps, then it will stand you in good stead should there be an accidental breach or a malicious complaint filed.
5. Show your workings
The Information Commissioner’s Office (ICO) is the UK’s independent authority that covers topics such as promoting openness by public bodies and the kind of individual data privacy covered by GDPR. The ICO states: “The new accountability principle in Article 5(2) requires you to demonstrate that you comply with the principles and states explicitly that this is your responsibility.”
For a personal financial consultant, this is extremely important as dealing with other people’s money is all about building relationships based on trust. However, it should also come quite easily to anyone in the profession as keeping workings and a clear “paper trail” is often a vital part of day-to-day routines.
Under GDPR rules, the regulator will be looking for evidence that any breaches were beyond your responsible control and that you took all reasonable steps needed to avoid such a situation arising. By having a clear and definitive set of records, you will be well on the way to proving that your financial advice firm is GDPR compliant.
Get more leads
High-quality financial advice leads that adhere to the GDPR.