Intelliflo’s GDPR Working Group is urging advisers to exercise caution in managing their data when preparing to comply with new GDPR rules that come into effect on 25 May 2018. Active decisions are required about deleting or keeping data and the options are far from straightforward.
The Group, which met for the second time in late October and from which a second paper has been produced for consultation among Intelliflo customers, discussed and agreed a high-level policy regarding when data should be kept and destroyed in response to the GDPR ‘right to erasure’ (right to be forgotten). Deleting data completely could leave advisers vulnerable should any claim be made against them in the future.
Given that there is no clear limitation on when a firm could receive a complaint from a data subject, the Group – which includes GDPR experts from NCC Group and legal firm DAC Beachcroft - concluded that advice firms can legitimately reject a right to erasure request if the subject data had entered a formal agreement with the firm, on the grounds of needing to defend any future potential legal claim. The Working Group agreed that a signed client agreement should be regarded as a formal agreement, even if the advice given was verbal and no product contracts were entered into.
Simply leaving all client data on file may seem like the easiest solution but this is not acceptable under the GDPR rules. Keeping personal data that no longer has a use, or where its use cannot be justified, is a risk. Firms must have a lawful reason to hold every item of personal data they process.
Rob Walton, Chief Operating Officer at Intelliflo and the Chair of the GDPR Working Group comments: “The bottom line is that the GDPR requires action. Doing nothing with data is not an option if adviser firms are to comply with the new rules. Firms need to quickly establish a data management policy that balances the rights of the data subject against the firm’s right to meet regulatory requirements or potentially defend a legal claim.”
One way of handling the delete/keep challenge is for firms to ‘restrict processing’, and Intelliflo believes back office systems are ideally placed to provide solutions that continue to store the data but restrict who can see it and what is done with it in a fully auditable manner. The ability to restrict processing will be key tool in data management for firms complying with the GDPR.
Rob Walton continues: “We are evolving the iO system to meet the challenges the new GDPR rules create and there is a big opportunity for advisers to use technology to help them comply with the regulations. It’s imperative firms act now to ensure that there is a purpose for all of the personal data they hold and to organise it effectively. Identifying which data should be deleted, which can be restricted and which can be actively used is an essential GDPR policy that, once completed, will save time and money in the long-term.”
The Intelliflo GDPR Working Party comprises delegates from 11 major networks and advice firm customers, representing around 2,000 UK advice firms. The aim is to get to a common interpretation of the impact of the GDPR regulation on financial service firms and a best practice approach of implementation that will assist all Intelliflo customers in meeting the challenges of this new regulation.
The group is meeting regularly to discuss how firms interpret the key articles of the GDPR regulation and how they plan to meet the requirements. After each meeting, a consultation paper is produced that is shared with all Intelliflo customers for feedback. The next meeting is scheduled for the end of January 2018.