Steve Andrews, Head of Managed Services at Focus Solutions, shares some practical measures to help you make sure your business complies with the changes ahead
There are just a few weeks until the new General Data Protection Regulation (GDPR) finally comes into force on May 25. However, a significant number of businesses are still unprepared, and some are even unaware, of what it actually is. According to a government survey released earlier this year, only 38% of businesses know about GDPR and only over a quarter of those businesses have got to grips with what GDPR means.
Time is now of the essence. Whilst it can seem daunting and onerous, there are some simple initial measures which advisers can put in place to get their house in good shape before the deadline.
Areas for review
Implementing the simple cybersecurity measures is a good starting point. These could include ensuring that all security updates released by software suppliers and/or any known security patches are applied and that the systems and software are constantly assessed and scanned for vulnerabilities. It is imperative to ensure that backups are up to date and a web application firewall is in place.
It is equally important to ensure that all software being used is compliant and understand if it will affect the data rights of clients. A clear understanding of the type of data held, its origins, purpose and who it is being shared with should be registered and reviewed rigorously to identify potential risks. This is an opportunity to declutter by reviewing the entire filing system and identifying the number of copies of each paper document in existence and decide whether it is necessary.
It’s also worth bearing in mind that even the most secure physical information storage can be in jeopardy via the duplication of data on other devices such as printers and photocopiers. Any disposal should be carried out securely and responsibly.
Human error is also a factor to be taken into consideration. Untrained human handling of documents can result in exposure to data breaches. So, staff should be suitably trained, understand the significance of the legislation and know how to handle data responsibly.
All assessments made, and measures put in place should also be recorded in clear company policy. Additional elements such as Fair Processing/Privacy notices must also be updated and clearly communicated to clients explaining how and why their data is processed and demonstrating that their privacy and securityis taken seriously.
Last, but not least, take the time to understand the 72-hour rule, which is often misinterpreted. One is obligated to report within the first 72 hours of “becoming aware” of a data breach as opposed to 72 hours since the “actual breach” taking place.
About the author
Steve Andrews is Head of Managed Services at Focus Solutions with responsibility for now:advise and hosted solutions. Steve was formerly Head of Adviser Technology Deployment at Sesame Bankhall and has also worked at CAERUS Capital Group.
About Focus Solutions
Focus Solutions is a financial services software house, founded in 1995. Focus’s products are primarily designed to support the delivery of advice. Focus works with leading financial advisers and networks to deliver software solutions across a range of sectors including investments, pensions, protection, mortgages and general insurance. Advisers can use one of Focus’s specialist software products targeted at a particular aspect of advice, such as Cash Flow Modelling, or our full front to back office solution, now:advise.
T: 0800 111 4803 (sales enquiries) or 01926 468 300 (general)