Firstly, anyone else sing the Flo Rida GDFR song when they read GDPR? Nope? Just me then. Anyway. Let’s have a look at this, and what it is all about…
Firstly the good news, it’s not as complex as MiFid II (hurrah) which you can read about here. The bad news? Both GDPR and MiFid II are EU directives, and are likely to only be the start of many such pieces of legislation, as clarity and transparency across all markets is aimed for. Brexit will have no impact on this. So there may be more to come.
For now; General Data Protection Regulation. Let’s start with our facts:
- Will come into force on 25th May 2018
- Builds on current data protection laws, with a focus on the modern digital world. Current data protection laws were formulated in 1995 â€“ around the time dinosaurs roamed the earth I believe.
- It is not just a financial adviser thing; it is being enforced across all businesses.
- There are eye watering fines potentially applicable for those who flout the laws. However, these will be rare and the ICO has stated it prefers “the carrot to the stick”.
The data protection around client data is split into:
- how it is acquired
- how it is shared
- how it is stored
In the modern digital world, with more and more means of communication available, simply locking away documents in a fire proof filing cabinet is no longer sufficient. Luckily, things like document management software from FilecenterDMS.com exists, which makes storing documents much easier and safer. If you’re constantly struggling to find documents in your office, it might be worth looking into it. If you already take your data protection requirements seriously, there shouldn’t be a huge change in what you are already doing.
So, what are the issues for you?
Firstly you need to be mindful of the above; how you obtain information, how you store it and how you share it (with clients, providers and any other third parties). If you were to be subjected to a cyber attack, what processes do you have in place to:
- know it even happened (they can be sneaky little beggars) and
- inform the appropriate people (probably clients; definitely the ICO and the FCA, whom you must inform within 72 hours).
If you’re wondering who would bother to cyber attack your business, you should consider that nearly 7 in 10 large businesses identified a breach or attack in the last year, with the average cost incurred being Â£20,000! Small business can struggle harder to recover from attacks, with one in five taking a day or more to recover from their most disruptive breach. These attacks do happen, a lot, and they do cost firms, a lot!
So complying with GDPR just makes good sense for you as a business owner. Your business should always run a third party risk management program, to cover your business as well as yourself.
What can I do to protect my firm and clients?
Firstly identify all sources of Personal Identifying Information (PII), how it comes into your firm, where it is then stored and what happens afterwards. With that journey mapped out, you can look at how that data can be protected at each step of the way (using passwords, encryption, locked cabinets, whatever it may be).
No matter how careful you are, you are still at risk (if the NHS can be hacked, so can you!) so the key is that you know when it has happened. This may sound obvious but recent government research shows it takes a UK firm, on average, 400 days to know they’ve had a breach. 400 days! There typically aren’t any flashing lights going off when it happens. Nor do the hackers email to let you know it has occurred (though that would be pretty helpful of them).
So whether it is building in some sort of alert, or having a regular manual check for data breaches, or having daily spyware programmes running; you need to have some way of knowing if a breach has happened.
Less junk in your trunk
Currently a client would opt in to receive communication from you. All good. However, under GDPR they then need to select again that they are happy to receive it, after a confirmation email has been sent to them. A double opt in if you will. If you use something like MailChimp or CampaignMonitor, these will no doubt be updated to do this for you (but check with them first). If you do it manually, it means twice as many emails. Basically not unsubscribing isn’t the same as subscribing, and implied consent will be removed. Great for those of us who are bombarded with junk from every Tom, Dick and Harry who has ever glanced at our email address. But could be tricky if you’re the Tom, Dick or Harry.
Data subjects (clients for the most part) will now have the right to obtain confirmation from you of what personal data is held on them, how it is being processed, where and for what purpose. Having clear processes in place will make any such requests simple and easy to deal with.
Another important one is the right to be forgotten; a client can ask to be removed from all databases, which would include server back ups and cloud facilities. These could occur when contacting old clients who have not been serviced regularly or when taking over client banks. Again, a watertight process to ensure people can be removed, if they request it, is vital.
Ultimately, the potential downside (huge fines for you, security breaches for your clients) are massive. But, the requirements to avoid this are not necessarily onerous. And given how much change has occurred in the last 22 years, I think it’s fair to say this review is pretty overdue.