Intelliflo’s General Data Protection Regulation working group has claimed formal agreements allow advisers to refuse clients requests to erase their details.
New General Data Protection Regulation rules come into effect on 25 May 2018 and require advice firms to have a high-level policy regarding when data should be kept and destroyed in response to the right to erasure requirement.
But deleting data completely could leave advisers vulnerable should any claim be made against them in the future, the group has warned.
Given that there is no clear limitation on when a firm could receive a complaint from a data subject, the group – which includes regulation experts from NCC Group and legal firm DAC Beachcroft - concluded that advice firms can legitimately reject a right to erasure request if the subject data had entered a formal agreement with the firm, on the grounds of needing to defend any future potential legal claim.
The working group agreed that a signed client agreement should be regarded as a formal agreement, even if the advice given was verbal and no product contracts were entered into.
Simply leaving all client data on file may seem like the easiest solution but this is not acceptable under the new data protection rules.
Keeping personal data that no longer has a use, or where its use cannot be justified, is a risk.
Firms must have a lawful reason to hold every item of personal data they process.
Rob Walton, chief operating officer at Intelliflo and the chairman of the General Data Protection Regulation (GDPR) working group, said: “The bottom line is that the GDPR requires action.
“Doing nothing with data is not an option if adviser firms are to comply with the new rules.
“Firms need to quickly establish a data management policy that balances the rights of the data subject against the firm’s right to meet regulatory requirements or potentially defend a legal claim.”
One way of handling the delete/keep challenge is for firms to ‘restrict processing’, and Intelliflo believes back office systems are ideally placed to provide solutions that continue to store the data but restrict who can see it and what is done with it in a fully auditable manner.
The ability to restrict processing will be key tool in data management for firms complying with the General Data Protection Regulation, according to Mr Walton.
He said Intelliflo is evolving the iO system to meet the challenges the new General Data Protection Regulation rules create.
Mr Walton said: “It is imperative firms act now to ensure that there is a purpose for all of the personal data they hold and to organise it effectively.
“Identifying which data should be deleted, which can be restricted and which can be actively used is an essential General Data Protection Regulation policy that, once completed, will save time and money in the long-term.”