Training staff on upcoming EU data laws should be a top priority for firms if they want to protect themselves against against falling foul of new rules.
However, not all advisers are making the right kind of changes to ensure their systems and processes are robust enough, according to Brian Hill, managing director of Wiltshire-based IFA Jones Hill.
In the run-up to the General Data Protection Regulation (GDPR) coming into force on 25 May, Mr Hill’s firm has been carrying out actions to get ready.
One of his colleagues who is responsible for systems and processes has attended workshops and events, which have been fed back to other colleagues through internal training programmes.
Jones Hill has also made changes to its computer systems. The company now uses cloud technology. It has also installed a higher level of password controls and migrated email to Office 365.
The biggest cost to implement the changes has come from raising staff awareness about what they need to do to protect themselves and the data they have.
Mr Hill said: “This is about looking at what they should and should not do, which is often where the weakest link is.”
He warned that interaction he has had with other advisers has shown him that some are not implementing even the most basic security changes.
He said: “Worryingly, there are people who do not have password managers; still have local servers and are not working in the cloud.
“Our colleagues throughout the industry need to take this seriously. Should they have to report something where they have made a mistake there could be very [severe consequences].”
Insurance group Zurich has warned that adviser firms and platforms are likely to be prime targets for cyber criminals because of the large volumes of highly sensitive financial information they hold about individuals.
The warning follows the release of the 2018 Global Risks Report by the World Economic Forum and Zurich, which ranks cyber threats among the top five global risks.
Rob Walton, chief operating officer at Intelliflo, warned that individual advisers could be held liable where firms are reprimanded for breaking GDPR rules.
Mr Walton said: “Under the new GDPR rules, it is mandatory that any breach is reported to the Information Commissioner’s Office (ICO) and, in most cases the data subject, within 72 hours.”
Of the 96 reprimands that were made publicly available in 2017 by the ICO, 11 were directly aimed at individuals and not just the company they work for.
These were for offences of unwarranted accessing of personal data and sending sensitive data to personal email accounts without reason.
The figures highlight a significant leap in such reprimands, since no individuals were publicly targeted by the ICO in 2016.
Mr Walton, whose firm has also set up a GDPR industry working party, added such instances could have been avoided with proper staff training.
He said: “Firms are at risk not only of fines, but also of highly negative media attention.
“Training staff so they are fully aware of what they can and can’t do with regards to data helps to reduce the risk of data breaches plus ensure the firm itself is not the focus for any potential enforcement procedures if staff claim they didn’t know they were doing something wrong.”
Ahead of May many firms, including Intelliflo, are offering training courses to help IFAs prepare.
Intelliflo’s online course covers GDPR awareness, phishing awareness and information security awareness.
Mr Hill said that other than his clients who work in IT or in military defence, most of his customers are not fully aware of the new data laws.
He said he has found that speaking to clients about how the company uses and secures their data has strengthened customer trust.
Ima Jackson-Obot is features writer at Financial Adviser
