How does regulation impact how advisers should share sensitive data with their clients?
The table below highlights some of the regulatory factors all businesses should look at when considering Secure Communication.
Regulation | Summary | Implications for the adviser? | Examples |
---|---|---|---|
General Data Protection Regulation (GDPR) | Firms need to know what type of data they hold, where it is stored, who has access to it and how it is shared. | Advisers need to have an understanding of the type of data they hold and how they will send it to clients and providers. Those responsible for using personal data must know the rules and their responsibilities. | Many advisers use email to send information without taking into consideration encryption, two-factor authentication and overall security. |
Smarter Communications | The Smarter consumer communications initiative was launched in June 2015 to change the way information is communicated and delivered to consumers. | Consumers are coming to expect digital, and more concise communications as a matter of course. Advisers need to find ways to meet those expectations in secure ways. | Some advisers embrace personalised video technology but need to consider how this is transmitted to the client in a secure manner. |
Senior Management Regime (SMR) | Regime aimed at raising standards of governance, increasing accountable and help restore confidence in the financial services sector. | Advisers need to identify who is responsible within the firm for particular functions as well as identifying how they can restore confidence. Ensuring effective, secure communication is key. | Senior managers will have a duty or responsibility that fall within their remit, for example SMF16 (compliance oversight). |
Information Commissioner's Office (ICO)/GDPR/Data Protection Act (DPA) | The ICO provides Guides to the legislation and helps with understanding obligations and how to comply under Acts. Information is especially important for Data Protection Officers (DPOs) and others who have day-to-day responsibility for data protection. | Firms need to ensure that they have adequate intrusion prevention and firewalls to ensure customer data is protected. | Firms appointing a DPO need to ensure those who use personal information have an understanding of their role in ensuring their use of data is compliant. |
Data Protection Act (DPA) | The 6 Principles of the Data Protection Act (DPA) ensures that personal information is handled in a particular way. | Advisers have to understand their role in adhering to the 6 Principles of the data protection act. | Advisers need to have a secure mechanism to ensure the data they hold is correct. |
PRIN Principles for Business | PRIN provides a comprehensive high-level regulatory framework that sets fundamental standards which apply to authorised firms. | Firms/Advisers need to have a clear understanding of the 11 principles and must take them into consideration when carrying out work. | A company that doesn’t use adequate encryption to send suitability reports, fails to take reasonable care to organise and control its affairs responsibly and effectively. |
Markets in Financial Instruments Directive (MiFID II) | MiFID II sets out new reporting requirements and tests to ensure a high degree of protection for investors and places emphasis on greater transparency. | Firms now need to take reasonable steps to ensure information collected on clients is reliable, along with a number of other requirements that need to be followed during the advice process. | A company must ensure a customers cost and chargers statement are sent with adequate security. |