The introduction of the GDPR on 25 May 2018 has profound implications for businesses across the UK. Financial advisors are not excluded from this and must ensure they are cognisant of the GDPR’s requirements. There is no transition period: compliance with the new regime is mandatory from the day it comes into effect.
Understanding the GDPR’s requirements: where to find help
Businesses still struggling with what the GDPR will mean for them must act now. The Information Commissioner’s Office should be the first port of call. The website contains a suite of documents designed to help organisations both large and small to understand the new regime and identify its salient points.
The GDPR and financial advisers
Financial advisers may still be asking themselves which areas they need to concentrate on to ensure their own compliance with the GDPR. The key points to focus on are:
1. Human error. This is the number one cause of data breaches. Effective staff training is the best way to minimise the chance of this happening within a business.
2. Software. Ensuring that software for IFAs complies with the GDPR is crucial. This may be difficult to assess, but a good provider such as https://www.intelliflo.com/ will be able to help an IFA to understand how use of a particular software might affect a client’s data protection rights.
3. Policies and procedures. The measures that a company implements to ensure its compliance with the GDPR must be recorded in clear and accessible policies and procedures. Relevant privacy and fair processing notices need updating and notifying to clients.
4. The 72-hour rule. This is the provision that dictates that breaches of the GDPR must be notified to the data protection authority – in the UK, this is the Information Commissioner’s Office – within 72 hours of the breach becoming apparent.
5. Data duplication. It is essential to be aware of the risk of data being duplicated on devices, such as printers and photocopiers, and on online storage facilities, such as Dropbox.
6. Cybersecurity. This is always a concern but has new relevance to the GDPR. The risk of data being accessed by unauthorised individuals is very real; consequently, it is essential to apply security updates and patches as soon as they become available and to ensure a firewall is in place.