"The bottom line is that the GDPR requires action. Doing nothing with data is not an option if adviser firms are to comply with the new rules."
Intelliflo says active decisions are required about deleting or keeping data and "the options are far from straightforward".
The Group, which met for the second time in late October, agreed actions regarding when data should be kept and destroyed in response to the GDPR ‘right to erasure’. Deleting data completely could leave advisers vulnerable should any claim be made against them in the future.
Given that there is no clear limitation on when a firm could receive a complaint from a data subject, the Group concluded that advice firms can legitimately reject a right to erasure request if the subject data had entered a formal agreement with the firm, on the grounds of needing to defend any future potential legal claim. The Working Group agreed that a signed client agreement should be regarded as a formal agreement, even if the advice given was verbal and no product contracts were entered into.
The Group added that simply leaving all client data on file "may seem like the easiest solution but this is not acceptable under the GDPR rules". Keeping personal data that no longer has a use, or where its use cannot be justified, is a risk as firms must have a lawful reason to hold every item of personal data they process.
One way of handling the delete/keep challenge is for firms to ‘restrict processing’, and Intelliflo believes back office systems are ideally placed to provide solutions that continue to store the data but restrict who can see it and what is done with it in a fully auditable manner.
The Intelliflo GDPR Working Party comprises delegates from 11 networks and advice firms, representing around 2,000 UK advice firms. The aim is to get to a common interpretation of the impact of the GDPR regulation on financial service firms and a best practice approach of implementation.
The group is meeting regularly to discuss how firms interpret the key articles of the GDPR regulation and how they plan to meet the requirements.
Rob Walton, Chief Operating Officer at Intelliflo and the Chair of the GDPR Working Group, commented: “The bottom line is that the GDPR requires action. Doing nothing with data is not an option if adviser firms are to comply with the new rules. Firms need to quickly establish a data management policy that balances the rights of the data subject against the firm’s right to meet regulatory requirements or potentially defend a legal claim.
“We are evolving the iO system to meet the challenges the new GDPR rules create and there is a big opportunity for advisers to use technology to help them comply with the regulations. It’s imperative firms act now to ensure that there is a purpose for all of the personal data they hold and to organise it effectively. Identifying which data should be deleted, which can be restricted and which can be actively used is an essential GDPR policy that, once completed, will save time and money in the long-term.”
