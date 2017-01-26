One of the stark differences between adviser conferences in the UK and the US is the amount of content on data security. No US event is complete without several sessions on it but here such discussions are conspicuous by their absence.

I expect this to change significantly this year. By 25 May 2018, all businesses in the UK need to comply with the EU’s General Data Protection Regulation. This will not change as a result of our forthcoming exit from the union.

GDPR considerably increases firms’ obligations and responsibilities. Under the new rules, far more data will be seen as sensitive, meaning advisers will need to substantially extend the list of items they treat with care. The rules about obtaining clear, specific consent to use data will also be far more demanding.

Firms that handle a significant level of consumer data (for example, any adviser operating in the workplace pensions or auto-enrolment markets) will be required to appoint a data protection officer.

Firms will also need to produce a privacy impact assessment in the event of a breach. The regulations also introduce an obligation to report any data breaches within 72 hours of being discovered. Such issues will need to be considered at the commencement of any data project.

This column is not intended as a full summary of the issues advisers need to consider in order to be GDPR compliant (that would take many articles) but hopefully it serves to highlight the fact firms must be thinking about it now.

Unnecessary risk

Meanwhile, there is another, perhaps more pressing, area in the context of data security. That is the way in which firms should protect any data being exchanged with clients and “insurers” via email.

It is approaching nine years since the then-FSA published its Data Security in Financial Services paper. This can still be found on its website at and is well worth another read. It highlights the view shared by both it and the Information Commissioner’s Office that laptops containing client data should not be taken outside the office unless the hard drives are encrypted.

It also states the use of web-based email as putting client data at unnecessary risk. At the time, the FSA identified 65 per cent of a sample of small firms as indulging in such poor practices. Based on my experience, I would estimate such breaches are still going on at around one in four adviser firms.

While email has become the standard method of communication between businesses and consumers, few people understand quite how vulnerable it is as a method of communication. It is the digital equivalent of putting your customer’s sensitive information on a postcard and sending it through the mail. This is true not just of webmail but all unencrypted email.

We need to find an industrywide answer to the question of secure email communications. The last attempt at doing so – Unipass Secure Mail – can politely be described as having had only limited success.

Searching for an adviser solution

I believe there are several reasons for this and important lessons to learn.

To be fit for purpose, an industry email solution must be capable of working through the complete supply chain; something advisers can use with those from life offices, platforms, asset managers and master trusts, as well as with their clients.

Such a solution should always leave a decrypted message with any recipient as a permanent record. It must be capable of operating in conjunction with the email software within any adviser client management systems, front office systems and client portals.

It should also be able to work with leading office software like Outlook 365 and Google Docs, as well as securing instant message accounts – another tool that is nowhere near as secure as people perceive.

Law firms are suffering massive losses on a regular basis due to poor email practices. It is a miracle we do not have a similar problem with advice firms.

This problem should have been resolved when the FSA prompted the industry nine years ago. Let’s find an answer soon before the FCA revisits the subject and starts imposing fines for failure to address the clear regulatory guidance.

Ian McKenna is director of the Finance & Technology Research Centre