Old Mutual International is very supportive of the GDPR, and its objective of strengthening data protection legislation. So we are applying the principles of the regulation as best practice throughout our business, including to data provided by our international advisers who act for local and non-European expatriate clients. We are treating all data as within the scope of the GDPR, regardless of where in the world advisers or their clients are based, and we are taking responsibility with advisers for processing, maintaining and managing our mutual client data.
The GDPR covers a broad range of personal data from basic identifiers, such as name and location, through to more special category data, such as racial or ethnic origin, state of health, political opinions and religious beliefs. It also bestows some very important rights on clients, as data subjects. Under the GDPR, clients have the right to:
- be informed about how their personal data is used
- access their personal information
- demand rectification in circumstances where data is inaccurate or incomplete
- ask for deletion or removal of personal data if the data is no longer required for the purpose for which it was original collected (the right to be forgotten)
- restrict the processing of their data
- expect data portability so that personal data can be provided in a structured, commonly used and machine readable format
- object to the processing of data for purposes such as profiling, research and statistical analysis
- be advised if their data is used in automatic decision making and have the opportunity to request human intervention or to challenge a decision.
In order to embrace the principles of GDPR, advisers need to follow good practice in data management – regardless of whether they are handling data that relates to clients, employees or anyone else. This means:
- processing data in a lawful, fair and transparent manner
- only collecting data for a specified, explicit and legitimate purpose
- minimising the amount of data held – data must be adequate, relevant and limited to what is necessary
- ensuring that data is accurate and up-to-date, where necessary
- only storing data for as long as it is needed
- processing data securely.
Advisers should only ask for, and record, personal data that is genuinely relevant and required. They should also be clear as to why the personal data is needed, and how it will be used, and follow appropriate processes for storing data that relates to clients and their family members, including partners and children. Furthermore, they must be able to prove that clients have ‘opted in’ to marketing communications. Material data breaches must be reported to the relevant supervisory authority, such as the Information Commissioner’s Officer on the Isle of Man or Ireland, depending on the jurisdiction, within 72 hours.
The enhanced approach to data protection ushered in by the GDPR is far more than a compliance exercise. It is an opportunity for advisers to review their systems and processes to ensure that their business is running as efficiently and cost-effectively as possible and that their data management policies are rigorous enough to protect client data. Competent collection, management and use of client data are crucial components of both conducting business today and providing outstanding customer service.
For more information about how advisers can use processes and systems to underpin sustainable business success, take a look at the operational efficiency training module on our Future Fit site.