Educating staff is as important in preparing for the introduction of new data rules as having the right processes in place, a conference has been told.
The General Data Protection Regulation will come into effect on 25 May, bringing in several new requirements for firms.
Speaking at the Personal Investment Management and Financial Advice Association's conference on GDPR (22 March), Mudassar Ulhaq, chief information officer of Waverton Investment Management, said complying with the rules relied on all staff understanding them.
He said: "There is a huge educational requirement within the organisation and for me the training is as essential as the work to identify all the different types of documents and personal information across the business.
"It has really changed the mindset across the organisation to adapt to a privacy by design approach and take accountability of what they do.
"We have all experienced sending the wrong document to the wrong person. Unfortunately that is something that is really out of our control and that is an educational process."
Mr Ulhaq said Waverton had introduced checklists for its staff to use before they send out information to make sure they check whether it is essential that data is sent and whether or not it is password-protected.
He also touched on the issue of lead lists, something which may be threatened by the introduction of GDPR.
Mr Ulhaq said firms should consider creating tiers of leads based on how long it had been since the firm last contacted them, with those which hadn't been contacted for longest most likely to need to be deleted.
But he also added that firms should consider taking legal advice to clarify this fully.
GDPR, which is a Europe-wide regime, introduces a number of regulations which will affect financial advisers, including the right to erasure, meaning an individual can request the deletion of personal data relating to them, and the right to access, meaning an individual can demand information on how their data is being used and a free copy of their personal data.
It also introduces the right to data portability, which means a person must be able to transfer their personal data from one system to another without being prevented by the handler of their data.
Meanwhile explicit consent must be obtained for the collection of data and all the purposes it is used for, while all data breaches must be reported within 72 hours.
At yesterday's conference, delegates were also told they shouldn't assume the biggest penalties under the incoming General Data Protection Regulation will be for massive data breaches.
Top level fines can also be handed out for simply emailing people who haven't consented, according to Duc Tran, a senior associate at law firm Herbert Smith Freehills.
The GDPR regime allows regulators to levy tier one and tier two fines.
The second tier will be up to €10m (£8.7m) or 2 per cent of turnover and the first tier will be up to €20m (£17.4m) or 4 per cent of turnover.
Mr Tran said: "If you have done mass spam marketing to clients that are not expecting it, it will be a breach of any one of articles five, six, seven and nine of GDPR and will be tier one.
"It is not just huge scale data breaches that attract huge fines. It is errors and lapses in the ordinary course of business that can attract the highest level of fines from the Information Commissioner's Office (ICO)."
damian.fantato@ft.com
