Our 5-step GDPR checklist for financial advisers
05 Jun, 2018
On 25th May 2018, new regulations came into force which change the way you deal with your clients’ data. The General Data Protection Regulation (GDPR) builds upon the requirements of the Data Protection Act, but there are some significant changes which you need to be aware of. Keep reading for your five-step GDPR checklist for financial advisers.
- Document what information you hold
You need to make sure that you document the personal data you hold about your clients, where it came from, and who you share it with.
Undertake an information audit and keep a record of the personal data you have. This will also help you to comply with the new ‘accountability’ principle which requires you to be able to show how you comply with GDPR, for example by having effective procedures in place.
The new regulations also require you to maintain records of your processing activities. For example, if you have inaccurate personal data and have shared this with another organisation, you now have to tell the other organisation about the inaccuracy, so it can correct its own records. You won’t be able to do this unless you know what personal data you hold, where it came from and who you share it with – so this step is vital when aiming to be compliant with the GDPR.
- Make sure your existing clients are happy to continue to hear from you
The GDPR changes how you approach new clients and how you communicate with your existing clients. You now must be able to prove you have ‘opt-in’ consent from the people that you contact.
By only communicating with clients who have opted-in to hearing from you, you are more likely to have warm leads, and therefore an increase in sales.
Your first email communication with a potential client will be to ask them to confirm that they are happy to receive further emails from you. Bear in mind that they must have opted in to your correspondence in the first place.
Consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity.
Consent must also be separate from other terms and conditions, and you need to have simple ways for people to withdraw consent. The rules on consent are tougher than before, and individuals can withdraw consent at any time.
- Update your privacy notice
Your privacy notice should explain:
- what personal data you are collecting
- why you are collecting this data
- who you have shared it with
- how you can evidence the deletion of such data to a client.
Now that the GDPR has been implemented, this is a great opportunity to remind your clients that you will continue safeguard their information, and never request or exchange personal information from them without secure transfer. Tell them that their data will be stored securely and not shared without their knowledge.
- Prove that you are compliant
Under the new regime you must be able to demonstrate that you are compliant with the regulations. You need to be able to show that your contacts have consented to hearing from you, and when and how they gave this consent.
You also need to provide people with the right to be forgotten. This means that, when requested, you will have to entirely delete that contact and their personal details from your system, including long term archives.
You must also be able to provide individuals with their personal data in a structured, commonly used, and machine-readable form.
Remember that under the GDPR you will remain responsible for individuals’ personal data throughout the entire data lifecycle. You will have to assure that any data you pass to third parties is handled in a compliant manner.
- Implement a policy for data breaches and record-keeping
The GDPR may mean that you have to implement new data policies. For example, you will be required to ensure that you have the correct procedures to investigate, detect and report data breaches to all parties affected.
You are under legal obligation to notify data protection authorities within 72 hours of a data breach, and individuals straight away. You will also have to keep records of your data processing activities and undertake privacy impact assessments.
You should designate someone to take responsibility for data protection compliance and, if you’re a larger organisation, you should appoint a Data Protection Officer (DPO).
Make sure you’re ready for the GDPR
Though the GDPR does present some challenges for businesses, many are missing out on some of the opportunities it may bring. For example, by only communicating with clients who want to hear from the business, you are more likely to have warmer leads, who are more likely to convert into sales than customers who don’t want to hear from you. Implementing these changes will also improve your conduct risk as a proper data auditing system would be in place and information will be kept up-to-date.
Moreover, by adhering to the GDPR, using client data properly and conforming to the new regulations, your business will be seen as more trustworthy by clients and this is likely to improve the reputation of your business.
If you deal with any overseas clients, or you have children’s data on record, there are other rules that apply. Find out more information on preparing for the GDPR in the Information Commissioners’ Office guide.