With growing use of data across financial services, the need to protect the privacy of personal information has never been greater. To mark Data Privacy Day, we look at how financial advisers can help make sure clients data stays secure.
The GDPR and the build up to it now seems a long time ago, with so much overshadowed since by the Covid-19 crisis. But with the pandemic accelerating the shift to digital ways of working, the need for firms to stay on top of their data privacy obligations is greater than ever.
By the time the General Data Protection Regulation (GDPR) took effect in May 2018, data privacy was firmly on the radar of firms across the advisory sector. And with good reason. For one thing, the shift to digital practices over the past decade has seen advisers handling, processing and storing a rapidly growing volume of customer data. The GDPR also made clear that failing to adhere to good practice on data privacy could land firms with problems they could really do without. The Information Commissioner’s Office (ICO) can impose fines of up to £17.5m or 4% of annual turnover, whichever is greater, for the most serious infringements.
Risks and reminders
The need to protect the privacy of personal information online, not least where social media is concerned, is one of the main messages of Data Privacy Day. Taking place annually on 28 January, this global event gives firms an opportunity to take a step back and review their own approach to data privacy and cybersecurity. This starts with understanding vulnerabilities and how they evolve. Internet scams are on the rise all the time and present a very real risk for companies of all sizes.
No wonder that 44% of respondents to the Allianz Risk Barometer cited cyber incidents as their number one concern, putting the issue at the head of the barometer for only the second time on record[i].
Financial services in particular is a target for scams, given the amount of money passing through the industry. That includes advisers, but there are steps firms can take to protect themselves and to ensure that their clients’ data are handled safely.
The bare minimum
All firms should now have established practices in place for preventing data breaches and complying with regulations on the handling, storage and processing of client data.
While the basic obligations of GDPR are now well understood, some of the primary obligations are:
- Firms must obtain the prior consent of any client whose personal data they are processing, except in specific circumstances.
- Firms need to be clear as to why they are collecting data and how they will use it.
- Clients have the right to ask firms for the information held on them.
- Client consent for data usage can no longer be assumed from pre-ticked boxes, terms and conditions that have been accepted or from the customer not specifying a preference.
- Firms should also have evidence of the processes they have in place, including data protection policies, impact assessments and relevant documents showing how such information is processed.
- Firms must inform the ICO within 72 hours of a cyberattack or a breach of data.
In some ways, the task for advisers is simple and clear. For instance, all systems for collection, storage and protection of data should be robust and up to date. Firms should have a data protection officer in place if they hold large amounts of data, and secure information facilities for clients’ personal data.
In particular, there should be robust systems in place for identifying, managing and reporting cybersecurity and data breach risks.
A silver lining
In some ways, the pandemic may have been helpful in improving data practices. The wider adoption of digital ways of working – with an uptick in the usage of virtual meetings, client portals and e-signatures – have improved the quality of data that firms access and how they handle them.
Client portals have proved especially useful, providing a secure way of securing information and making personal data available to clients. This is important, given the risk of human error in tasks such as emailing or posting information to clients.
Staying up to date
Keeping software and applications updated is also key to maintaining data privacy, as outdated versions often have bugs and security vulnerabilities that are left unfixed. Technology providers in the advisory sector typically send out updates on a regular basis, or as and when required, to ensure that potential system vulnerabilities are addressed. These should be applied as soon as they are received in order to ensure robust cyber defences (and, therefore, compliance with regulatory requirements).
It may be nearly four years since GDPR took effect, but as adviser use of technology grows, so too do certain risks. Data Privacy Day serves as a timely reminder that keeping on top of your data practices and technology security is now fundamental to the resilience of any advisory firm.