New General Data Protection Regulation rules come into effect on 25 May 2018 and require advice firms to have a high-level policy regarding when data should be kept and destroyed in response to the right to erasure requirement.
But deleting data completely could leave advisers vulnerable should any claim be made against them in the future, the group has warned.
Given that there is no clear limitation on when a firm could receive a complaint from a data subject, the group – which includes regulation experts from NCC Group and legal firm DAC Beachcroft - concluded that advice firms can legitimately reject a right to erasure request if the subject data had entered a formal agreement with the firm, on the grounds of needing to defend any future potential legal claim.
The working group agreed that a signed client agreement should be regarded as a formal agreement, even if the advice given was verbal and no product contracts were entered into.
Simply leaving all client data on file may seem like the easiest solution but this is not acceptable under the new data protection rules.
Keeping personal data that no longer has a use, or where its use cannot be justified, is a risk.
Firms must have a lawful reason to hold every item of personal data they process.
Rob Walton, chief operating officer at Intelliflo and the chairman of the General Data Protection Regulation (GDPR) working group, said: “The bottom line is that the GDPR requires action.
“Doing nothing with data is not an option if adviser firms are to comply with the new rules.
“Firms need to quickly establish a data management policy that balances the rights of the data subject against the firm’s right to meet regulatory requirements or potentially defend a legal claim.”
One way of handling the delete/keep challenge is for firms to ‘restrict processing’, and Intelliflo believes back office systems are ideally placed to provide solutions that continue to store the data but restrict who can see it and what is done with it in a fully auditable manner.
The ability to restrict processing will be key tool in data management for firms complying with the General Data Protection Regulation, according to Mr Walton.
He said Intelliflo is evolving the iO system to meet the challenges the new General Data Protection Regulation rules create.
Mr Walton said: “It is imperative firms act now to ensure that there is a purpose for all of the personal data they hold and to organise it effectively.
“Identifying which data should be deleted, which can be restricted and which can be actively used is an essential General Data Protection Regulation policy that, once completed, will save time and money in the long-term.”
Last year FTAdviser revealed adviser network Tenet has introduced a policy of keeping files for 80 years as it warns the lack of a long-stop exacerbates the issues advisers face when new data protection rules come into effect.
Caroline Bradley, group risk and regulatory director at Tenet, said: "We have decided we have got to hold it for a period of 80 years because if the client was 20 when they took advice, they will probably be dead by then.
"If a long-stop ever comes in then our retention policy will change but we have got to be able to defend the advice.
"The FCA has said the lack of a long-stop is not a problem because there are not a lot of complaints that come in but it is a problem because we have got to keep everything forever."
Intelliflo’s General Data Protection Regulation working party comprises delegates from 11 major networks and advice firm customers, representing around 2,000 UK advice firms.
The aim is to get to a common interpretation of the impact of the General Data Protection Regulation on financial service firms and a best practice approach of implementation that will assist all Intelliflo customers in meeting the challenges of this new regulation.
The group is meeting regularly to discuss how firms interpret the key articles of the GDPR regulation and how they plan to meet the requirements.
After each meeting, a consultation paper is produced that is shared with all Intelliflo customers for feedback. The next meeting is scheduled for the end of January 2018.
emma.hughes@ft.com
