Supporting you through GDPR.
Supporting you through GDPR.
The aim of the General Data Protection Regulation (GDPR) is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established. It comes into effect on 25 May 2018 and is mandatory for all companies interacting with EU residents, regardless of where the company is located/headquartered. The regulation will be transposed fully into UK law, even once the UK has made its exit from the EU.
This document outlines the features of FinPlan available to support your firm in meeting it’s GDPR obligations. Please note that this guide is for informational purposes only, and should not be relied upon as legal advice. We encourage you to work with legal and other professionals to determine how the GDPR might apply to your organisation.
Within the context of GDPR, you (the adviser firm) are the Data Controller, your clients are the Data Subjects and we (Bluecoat Software) act as one of your Data Processors.
A number of enhanced features will be released prior to the 25 May implementation deadline. These new developments, along with the existing features available to support you are outlined below.
Privacy by design as a concept has existed for years now, but it is only just becoming part of a legal requirement with the GDPR. At its core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. Article 23 calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing.
The existing client access restrictions in FinPlan will be enhanced to provide user defined access to specific clients. This will mean that it will become possible to define which specific users have access to any specific client. These permissions will override any existing trust relationships in place so that, for example, staff member’s records can be restricted to a specific adviser or a specific client’s details can be made accessible to only one adviser and one administrator in the firm.
The permissions will extend to messages received from the Client Portal so that, if required, these are only visible to selected users.
Part of the rights for data subjects is to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further the controller must, on request, provide a copy of the personal data, free of charge, in an electronic format. This change is a dramatic shift to data transparency and empowerment of data subjects.
GDPR also introduces data portability – the right for a data subject to receive the personal data concerning them, which they have previously provided in a ‘commonly used and machine-readable format‘ and have the right to transmit that data to another controller.
Bluecoat Software will offer a service to extract and collate all of the requested client data available within FinPlan. This will package the data in an Excel spreadsheet, along with any associated emails and documents. The data will be encrypted and made available for download via a secure web-link.
FinPlan users can already easily search for data stored in the system and share documents in a compliant way via the secure Client Portal if needed.
Article 32 says that taking into account the current technological landscape, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.
It will be possible to stop any “processing” of a client’s records. This will leave a read-only copy of the details available within the system, however access to the details will be audited and a specific reason for access will be required to view the details. This facility will ensure that if client consent for processing is withdrawn you can still deal with enquiries relating to their records whilst ensuring no changes can be made.
Within GDPR you need to evidence explicit consent from your clients for the processing activities that you undertake using their data.
You will be able to record against each client the consents that you have obtained and associate the supporting document(s) with that consent. The date at which the consent was obtained will be recorded, along with any notes or commentary required.
Should consent be withdrawn at any time this can also be recorded so that a clear audit trail is maintained of when the required consents were in place.
FinPlan will enable you to search and report on specific consents that are in place (or are missing) so that, for example, you can target a mailshot only at those who have expressly granted their consent. You will also be able to monitor which client’s do not yet have the required consents in place.
FinPlan will provide a warning where a processing activity is undertaken where no consent is currently in place (such as passing details to a third-party).
GDPR introduces a ‘right to be forgotten’ which means that all client data (including documents and emails relating to the client) must be deleted on request. All data should also be deleted ‘when it is no longer required’. The compliance requirement to maintain accurate records spanning several years takes precedence over both of these requirements. It will be necessary, however, to delete the data once this time-period has expired.
FinPlan will provide a report to identify clients that are candidates for deletion in that they do not have currently active policies and have generated no enquiries or granted any new processing consents within the specified time-frame (typically 7 years).
A new ‘Recycle’ bin will be introduced that provides a repository for deleted client and policy records and any emails or documents deleted. Delete permissions will be granted on a per-user basis. It will be possible to restore items that have been added to the ‘Recycle’ bin, however they will not appear in any other part of the system once deleted.
‘Company Managers’ will have the ability to perform a permanent deletion. This will delete the selected items in a non-recoverable, non-reversible fashion. It will not be possible for Bluecoat Software to access or recover this data. All such deletions will be audited so that a deletion report is available of what was deleted, the user who performed the action and the date and time it took place.
It is every firm’s own responsibility to be fully compliant until the deadline, Bluecoat Software, however, provides financial advisers with the right technology supporting them with their efforts to be ready for GDPR.
This information is provided for your convenience and you are advised that, although care has been taken to ensure technical and factual accuracy, some errors may occur. No guarantee is given of the accuracy or completeness of information on these pages. You can find the full final version of the Regulation, released 6 April 2016 here.