We recently cleaned out our database. We contacted all clients, including orphan clients, and asked if they wanted to meet with us or if they preferred us not to contact them again. This took a big chunk off the GDPR workload.
Before 25 May, there are a few things to do on our website. For example, on how long we hold information of people using our contact form.
At the moment, this information comes in to a centralised email address. Here, we collect names, phone numbers and email addresses. Previously, that data had remained in our central system. Now, if those people do not become active clients, we will remove their details after a certain period of time.
One thing firms should do is engage with process mapping. When you get a new client, you ask yourself: how did they become your client? How does that go on to the back-office system? How do you create agency letters with providers off the back of that? How do you communicate further information to the client?
But some areas still require clarification. Some non-GDPR regulation says you have to keep certain data for a particular length of time. For example, data on any advice around pension transfers has to be kept pretty much indefinitely. This is contrary to what GDPR suggests.
Top tip: To help with a GDPR audit, use process mapping to see how data flows.
If you were subject to a GDPR audit, this is what they would look for: clarity of how data flows into, through and out of the business.
James Priday is director at Prydis Wealth