Register to get unlimited access to Citywire’s fund manager database. Registration is free and only takes a minute.

A common sense checklist for data protection

With new data protection rules coming into force next year, now is the perfect time to take a few simple steps to ensure your business is dealing with client information in the right way.

New legislation is overdue. 20 years after the introduction of the Data Protection Act, the General Data Protection Regulations (GDPR) comes into force on 25 May 2018.

It is designed to take account of the huge technological changes that have occurred in recent years. These advances have led to substantial increases in the worldwide flow of personal data and the accompanying challenges regarding the protection of it.

Right to erasure

Many advisers will have heard about the GDPR in the press. Not least the right to erasure (sometimes known as the right to be forgotten).

There is a misconception that this is an absolute right. It is not. A request for erasure of data can be refused on the grounds of ‘compliance with a legal obligation’, so it is important to swot up on the rules.

Data protection

The new rules focus on understanding what personal data a business is holding and the reasons for this. Protecting this data is vital with the increase in scams and identity theft, among other criminal activity.

It is vital business owners understand what they hold, why they hold it and who has or could gain access to it. They should therefore also understand whether third parties access or process your client data. If so it is time to review their contracts to ensure they have appropriate procedures in place to comply with GDPR too.

Most IFAs will probably have received a mountain of emails offering assistance. For any adviser who is just getting started, it is a good idea to visit the Information Commissioner’s Office website, which offers useful guidance and checklists.

The following quick pointers are on the whole common sense. 

New legislation is overdue. 20 years after the introduction of the Data Protection Act, the General Data Protection Regulations (GDPR) comes into force on 25 May 2018.

It is designed to take account of the huge technological changes that have occurred in recent years. These advances have led to substantial increases in the worldwide flow of personal data and the accompanying challenges regarding the protection of it.

Right to erasure

Many advisers will have heard about the GDPR in the press. Not least the right to erasure (sometimes known as the right to be forgotten).

There is a misconception that this is an absolute right. It is not. A request for erasure of data can be refused on the grounds of ‘compliance with a legal obligation’, so it is important to swot up on the rules.

Data protection

The new rules focus on understanding what personal data a business is holding and the reasons for this. Protecting this data is vital with the increase in scams and identity theft, among other criminal activity.

It is vital business owners understand what they hold, why they hold it and who has or could gain access to it. They should therefore also understand whether third parties access or process your client data. If so it is time to review their contracts to ensure they have appropriate procedures in place to comply with GDPR too.

Most IFAs will probably have received a mountain of emails offering assistance. For any adviser who is just getting started, it is a good idea to visit the Information Commissioner’s Office website, which offers useful guidance and checklists.

The following quick pointers are on the whole common sense. 

The incoming legislation demands data is accurate and ‘where necessary’ kept up to date. Every reasonable step must be taken to ensure accuracy of the data held.

Every reasonable step must be taken to ensure accuracy of the data held.

For many advisers this can be managed through regular client reviews. It can also be done via online confirmations of the data they hold, via their website. Alternatively they may have a back-office system that allows clients access to their personal records.

Data minimisation is another requirement. Data should not be held for longer than is necessary for the intended purpose of processing.

Data should not be held for longer than is necessary for the intended purpose of processing.

Authorised financial services firms can use their legal obligation to retain records for specified times as a means of retaining data. Beyond that, many are looking at the possibility of needing the data in defence of a legal claim to hold data beyond the stipulated Financial Conduct Authority limits.

A data retention/deletion policy will need to be agreed at senior management level.

Part of this may be looking at old personal data held and assessing if it is required or whether its retention is in breach of GDPR’s data minimisation and accuracy requirements.

Client consent has been used as a legal basis for processing personal data. The conditions for this will now be tighter. The request for consent will need to be clearly distinguishable from other terms and conditions. Each purpose for which the data will be processed must be clear and the client will have the right to withdraw consent at any time.

The conditions for this will now be tighter. The request for consent will need to be clearly distinguishable from other terms and conditions. Each purpose for which the data will be processed must be clear and the client will have the right to withdraw consent at any time.

As you would expect, consent must be explicit and use of opt-outs will not be valid. If an adviser intends to use the consent as the legal basis for processing post-GDPR, they will need to ensure existing consents meet GDPR standards. Consent will also be required from each client for direct marketing. Clients will have the right to withdraw it at any time.

Russell Facer is managing director of threesixty services.

Comment & analysis

Twitter