"For those using software, it’s absolutely key that you keep your IT systems up to data and maintain annual training for staff."
Speaking at yesterday’s FSE Glasgow event, GDPR expert Rob Walton, COO of Intelliflo and chair of the GDPR Working Group, emphasised the importance of advisers preparing adequately for the new data protection rules.
Walton outlined the key areas advisers needed to tackle in order to be compliant by the 25th May 2018 enforcement date - including ensuring privacy notices are issued to anyone whose data is held.
“The biggest thing you can get caught out on is privacy notices,” Walton began. “You’ve got to be aware of them, and ensuring that all actively serviced clients receive a privacy notice by the deadline date.”
He added that, to further protect your business, a privacy notice should also be published on business websites as soon as possible.
Sanctions as a result of breaching or failing to meet the GDPR obligations are steep - up to €20m or 4% of revenue for a breach, and half that for failure to meet obligations. Not only this, but breaches become public record, which could damage the reputation of a business.
Walton was clear, however, that there are resources for advisers looking to ensure compliance.
He said: “There are lots of innocuous ways advisers could be breaching the rules - plenty of advisers will snap a photo of a client’s passport for identity checks on their personal phone, and that photo is then uploaded to the Cloud, and suddenly you’re breaching the rules for not storing personal information securely. But there are secure portals advisers can use for information, and systems such as DocuSign which eliminate the need to post forms as hard copies, there are third party data processors.
“Paper-based offices can look at moving to a paperless system, or storing their records securely with a dedicated storage company to mitigate the risk of fire or flood and losing their records. For those using software, it’s absolutely key that you keep your IT systems up to data and maintain annual training for staff.”
He also stressed the importance of having clear evidence for how data was handled, adding “Were anything to happen, you can then evidence your processes to the ICO.”
GDPR rules can appear complex and Walton acknowledged that the advice space may face ‘challenges’ as a result of its implementation, but he emphasised the importance of laying groundwork towards rigorous and transparent data protection processes.
He concluded: “The silver lining is that knowledge is increasing of data protection - your clients may well face the same regulations as you, and therefore being GDPR compliant is a badge of honour and could stand your business in good stead. Fundamentally, this will make your business better.”