View more on these topics

How advisers can make sure client data is secure

While some advice firms may be a little apprehensive about next year’s introduction of the EU’s general data protection regulation, it offers an opportunity to improve business practices and client relationships.

Firms have a year to prepare for full implementation of the GDPR, which represents the most important change in data privacy regulation in 20 years.

A significant amount of the GDPR was drafted in the UK and the Government has confirmed its introduction will be unaffected by Brexit. Far more data than at present will be seen as sensitive and the rules about obtaining clear, specific consent to use it will also be far more demanding.

Organisations will need to ensure they retain proof that this has been freely given and the client has been fully informed about what is involved.

The majority of firms already treat their client data appropriately. Nonetheless, the regulatory changes are necessary to support the digitisation of financial services and the broader economy.

An important first step for firms will be to undertake some form of data-mapping exercise, which will provide them with an understanding of what data they hold, where their data repositories are and how the data is being used. At the very least, an audit process can identify the data that is useful and how best to leverage its value. Consumers will be given greater control over their data, with added protection over privacy.

Data collection and exchange will underpin the growth of digitalisation in financial services in the coming years, and protection of this data will be central to building public confidence and trust in an evolving financial services landscape.

Keith Richards is chief executive at the Personal Finance Society

Compliance tip of the week: The data protection clock is ticking

Financial services firms now have under a year before the GDPR comes into effect. The GDPR will impact the way firms gather, store and manage the personal data they hold.

With the potential for significant fines and reputational damage in cases of non-compliance, no firm can afford to ignore this significant piece of legislation. To be prepared for GDPR, consider these key areas:

Personal data: Firms need to establish what personal data they hold within their organisation and understand the life-cycle of that data, including any high-risk processing activities.

Infrastructure: It is also important to be able to evidence the legal basis for processing personal data and to ensure this does not conflict with the rights and freedoms of data subjects. Policies should be well balanced to ensure data is effectively protected, and systems and controls should be geared towards data security and protection.

Third-party processors: All firms that process personal data can be held jointly liable with the data controllers for breaches. If a business transfers data to a third party for processing, they will need to ensure their supplier contracts are reviewed and amended where necessary, to ensure all data-handling and processing activities are compliant with the new regulation.

Lorraine Mouat is senior regulatory consultant at TCC

Recommended

Ian-McKenna-in-2013-700.jpg
4

Ian McKenna: Advisers need to ramp up their data security

One of the stark differences between adviser conferences in the UK and the US is the amount of content on data security. No US event is complete without several sessions on it but here such discussions are conspicuous by their absence. I expect this to change significantly this year. By 25 May 2018, all businesses […]

Technology-Computer-Binary-700x450.jpg

Advisers warned on tech security breaches

Advisers may be failing to accurately detect and report data breaches, experts warn, as new figures reveal just 42 incidents have been reported in the past two years. A Freedom of Information request submitted by Money Marketing shows 42 potential breaches of the Data Protection Act have been reported by advisers to the Information Commissioner’s […]

Newsletter

News and expert analysis straight to your inbox

Sign up

Comments

There is one comment at the moment, we would love to hear your opinion too.

  1. Biggest thing? “Consent” to process data outside of the contract. If you don’t have it (even for historical data) then you shouldn’t be processing them (think marketing post May 2018 for example).

    On secure data, realistically the majority of GDPR compliance will fall to tech companies to solve / structure. Those with Heath Robinson / homebrew solutions will still need to consider the ramifications – if anything if GDPR isn’t baked into the solution/process then it’s being handled wrong.

Leave a comment