18 May 2018
Our 5-step GDPR checklist for financial advisers
On 25 May 2018, new regulations come into force which change the way you deal with your client’s data. The General Data Protection Regulations (GDPR) build upon the requirements of the current Data Protection Act, but there are some significant changes which you need to be aware of. Keep reading for your five-step financial adviser GDPR checklist.
- Document what information you hold
Your first step under the GDPR is to document what personal data you hold about your clients, where it came from, and who you share it with.
Undertake an information audit and keep a record of the personal data you have. This will also help you to comply with the new ‘accountability’ principle which requires you to be able to show how you comply with GDPR, for example by having effective procedures in place.
The new regulations also require you to maintain records of your processing activities. For example, if you have inaccurate personal data and have shared this with another organisation, you will have to tell the other organisation about the inaccuracy, so it can correct its own records. You won’t be able to do this unless you know what personal data you hold, where it came from and who you share it with.
- Make sure your existing clients are happy to continue to hear from you
GDPR changes how you approach new clients and how you communicate with your existing clients. From 25 May 2018, you must be able to prove you have ‘opt-in’ consent from the people that you contact.
By only communicating with clients who have opted-in, you are more likely to have warm leads, therefore sales.
Your first email communication with a potential client will be to ask them to confirm that they are happy to receive further emails from you. Bear in mind that they must have opted in to your correspondence in the first place.
Consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity.
Consent must also be separate from other terms and conditions, and you will need to have simple ways for people to withdraw consent. The rules on consent are tougher than before, and individuals can withdraw consent at any time.
- Update your privacy notice
Your privacy notices should explain:
- what personal data you are collecting
- why you are collecting this data
- who you have shared it with
- how you can evidence the deletion of such data to a client.
Use GDPR to let your clients know that you will safeguard their information and never request or exchange personal information from them without secure transfer. Tell them that their data will be stored securely and not shared without their knowledge.
- Prove that you are compliant
Under the new regime you must be able to demonstrate that you are compliant with the regulations. You need to be able to show that your contacts have consented to hearing from you, and when and how they gave this consent.
You also need to provide people with the right to be forgotten. This means that, when requested, you will have to entirely delete that contact and their personal details from your system, including long term archives.
You must also be able to provide individuals with their personal data in a structured, commonly used, and machine-readable form.
Remember that under GDPR you will remain responsible for individuals’ personal data throughout the entire data lifecycle. You will have to assure that data you pass to third parties is handled in a compliant manner.
- Implement a policy for data breaches and record-keeping
The new GDPR may mean that you have to implement new data policies. For example, you will be required to ensure that you have the correct procedures to investigate, detect and report data breaches to all parties affected.
You will be under legal obligation to notify data protection authorities within 72 hours of a data breach, and individuals straight away. You will also have to keep records of your data processing activities and undertake privacy impact assessments.
You should designate someone to take responsibility for data protection compliance and, if you’re a larger organisation, you should appoint a Data Protection Officer (DPO).
Make sure you’re ready for GDPR
Though GDPR does present some challenges for businesses, many are missing out on some of the opportunities it may bring. For example, by only communicating with clients who want to hear from the business, you are more likely to have warm leads and therefore sales. Implementing these changes could improve conduct risk as a proper data auditing system would be in place and information will be kept up-to-date.
Moreover, by adhering to GDPR, using client data properly and conforming to the new regulations, your business will be seen as more trustworthy by clients and this is likely to improve the reputation of your business.
If you deal with any overseas clients, or you have children’s data on record, there are other rules that apply. Find out more information on preparing for GDPR in the Information Commissioners’ Office guide.