“They are missing the point that if you ask a client to send you a utility bill, there are two copies of that email – one in the outbox of the client, and one in the inbox of the adviser. When you send that to a paraplanner or provider, that’s two new copies [every time]. It’s hard to know where that information is held.”
Given the sheer bulk of client data that already exists, together with the numerous requirements placed on firms by the new rules, identifying the areas where advisers are falling short may prove arduous.
Jon Bartley, a partner at professional services firm RPC, says advisers should begin with a “data-mapping” process, assessing what data is held, and whether proper processes are in place. This could be carried out by the firm, or using external providers.
“Before you work out what your steps could be, you need to know what you currently have by the way of personal data and say ‘what am I holding and what do I do with it across the different functions of the business?’” he says.
A further requirement, for all data breaches to be reported to the Information Commissioner’s Office (ICO) within 72 hours, increases the pressure on businesses.
Erasure: A little respect
Others have pointed to the importance of prioritising different areas. A working group led by Intelliflo has identified the “right to erasure” and its ramifications as a key area of focus for intermediaries.
While this right does not extend to a blanket entitlement for data to be wiped upon request, individuals can expect to have personal data erased in certain circumstances. This includes situations where the information is “no longer necessary in relation to the purpose for which it was originally collected/processed”.
As such, there are clear instances where advice firms should be prepared to erase data after a certain period of time. This includes the personal information of any individuals who made enquiries with a firm but failed to proceed any further. An alternative solution could be to anonymise the data, a move that would ensure it falls out of the scope of GDPR.
“You should only keep data for use as long as you have a legitimate reason to keep it,” Mr Walton says. “You can’t keep anything that you have for perpetuity.”
The flip side of this is that firms can defend the retention of information in various instances. For example, they can justify holding on to data provided they have a valid legal ground to do so. One example would be where the data is needed ‘for the performance of a contract’, including circumstances where an adviser relies on the information to provide a client with portfolio updates.