Annabel Kaye will speak about GDPR at the CISI Financial Planning Conference, 30 September to 1 October 2019. Book now to secure your place
A year on from the May 2018 deadline for compliance with the General Data Protection Regulation (GDPR), the dust is beginning to settle and the long-term work begins.
Have you ‘done’ GDPR? Or do you feel that your practice is too small for complex data and cyber security audits? You could be forgiven for thinking that GDPR is all about direct marketing – we were all buried alive in consent emails at the time. But while consent and marketing are important, the day-to-day work securing client data can affect your reputation and business profoundly if things go wrong.
There is no one way to comply with GDPR. The right way for you will be shaped by your client base and your business model. How you deliver your service and to whom will always shape what information you need, how you can arrange to obtain it from your customers and how and to whom you transmit it.
As your business and client base changes, so will your GDPR compliance. Your security systems should never stand in the way of you doing business, but they should always stand in the way of you making mistakes that can ruin your reputation (and get you fined). GDPR is never a ‘done deal’ and you will always need to review it as you take on board new people, new software, new apps, new markets or new suppliers.
It is not all about cyber security and IT either. Here are some things to check:
1. Are you or your team taking paperwork home?
Unless you photocopy or scan paperwork before it leaves the office, you are moving original copies of information that are not backed up in any way. If that paperwork identifies clients, or their financial affairs in any way, the paperwork could pose as much of a security risk if lost, as any other form of data. Have you reviewed this?
2. Can you reduce the range of information that is moved around?
Rather than take a whole file, is it possible to move only parts of a file – and leave the information that identifies individuals in the office? Do you need to keep the files for the next three days of appointments in your briefcase/boot or can you take the files for each day out and return them?
3. How do you transport paperwork?
Do you have files loose in your car? Are they locked in a briefcase in the boot? While this won’t deter a serious thief, keeping them out of sight and out of easy reach will reduce the risk.
4. Who has which files at home or in the car?
Do you ‘sign out’ files before they leave the office? If your car is stolen or a briefcase is lost, would you be able to rapidly assess what information is in it and what the risk to data privacy would be?
5. Does your team know what to do if a file is lost?
Do you have clear instructions for your team on reporting a lost file? Do they (and you) know who to report the loss to and how to assess the risk the lost paperwork poses?
6. Imagine it is money in the briefcase
Imagine that your briefcase has £10,000 in cash in it. Would you let people leave the office without any record of who booked it out? Would you leave it unlocked, or on the back seat of the car? Would you mislay that briefcase and wait a few days to see if it turned up? Hackers and thieves value personal data. There is even a price list of what individual items are worth. What is the value of the information you carry around? What is the potential loss to a client if that information goes astray?
GDPR is a reputational issue
An increasingly data savvy customer base is going to be asking questions when you meet them for the first time. Not just, “What is your data privacy policy?” but “Who do you share my information with?” and “How do you secure it?” If your data privacy does not make it clear (or you don’t follow your own policy) their confidence in you will be affected.
No one ever says to their financial planner “don’t lose my data’ any more than we go to a bank and say “don’t lose my money”. But we have all seen the reputational harm caused when money or data are lost.
Whatever your target market, if your customers feel you can’t be trusted with their data, then they won’t feel able to trust you. GDPR is not just about compliance – it’s a process that should be an integral part of your business life.