Can you justify retaining all the data you hold?

By Robert Walton
Find me on: LinkedIn 20-Mar-2018 15:04:11

The General Data Protection Regulation (GDPR) is looming large on the horizon now, with 25 May edging ever closer. One of the more keenly debated aspects of the regulation is what firms should do with the data that they hold on individuals. Doing nothing is not an option and processes and procedures for data handling, at a minimum, require reviewing. Beyond that, how should data be handled and processed, and when should it be retained or deleted?

gdpr blog pic.jpg

The nuclear option is to delete all data held on individuals. JD Weatherspoon, the pub chain, is taking that option, opting to delete all the email addresses that it holds and information that people have given to it, opting instead to focus marketing efforts elsewhere, via routes such as social media. This reduces the risk of a data breach, or of errant marketing contact – both of which could land you in hot water under GDPR – to zero.

Things, of course, aren’t so simple in the financial advice industry. Advisers enter into important contracts with their clients and the actions of an adviser can have a material impact on their lives. Of course, retaining data on current clients is essential, but could deleting the data of expired clients be an option?

Financial advice firms could do this, but in removing the risk of a data breach or illegal contact, it creates another risk: legal action taken by the individual for miss-sold advice. There is no timeline to when clients can take legal action against financial advisers for this. To defend such legal claims, even if they pertain to advice given a generation ago, firms will need all the documentation to do this.

This brings us back to the risk of a data breach. Should the data get stolen, lost or destroyed, this represents a breach under the new framework. It would be logical, therefore, to consider permanently removing such data from your system, to definitively avoid such a mishap.

This is certainly the best course of action with old leads; those people that you have spoken to in the past and have had no contractual relationship with. Retaining their data appears to be an unnecessary risk. The data you do and don’t retain needs to be mapped out carefully.

There are other causes that can take matters out of your hands at a firm level. Under Article 17 of GDPR, individuals have the right to request the erasure of their personal details from firms which hold their data. On the face of it, this means that upon receipt of such a request, the data must be erased.

There are, however, caveats to this, notably, “establishment, exercise or defence of a legal claim,” as well as the regulatory requirements placed upon firms, for example, under MiFID II. For financial advice firms these are particularly relevant, since it means that requests to erase data can be legitimately denied.

One step that advice firms can take to tackle data retention issues, is to restrict the processing of such data. This essentially means that data can be retained, but the only processing of it occurs in storing it. It will be kept separately to your main data, accessible only when required, for example if old client starts legal proceedings against your firm.

The concurrent theme throughout GDPR is justification. If you can justify your processing of data, then the regulator - in the UK it’s the Information Commissioner’s Office (ICO) - will be in a position to sympathise with your side of the argument.

If an individual requests that you delete their data and you refuse based upon the possibility of future legal proceedings, they may then report this to the ICO. If you can justify the continued processing of the data, you are in a far stronger position than if you cannot.

This approach should form the backbone of your data retention policies post-GDPR. If you can’t justify retaining data, then don’t. The key to achieving this is by implementing a data inventory, something which is mandatory for firms under GDPR to document processing activities that are not occasional, could result in a risk to the rights and freedoms of individuals or involve processing special categories of data.