Protecting personal data

Facebook is in the news this week because of the way in which Cambridge Analytica used Facebook data to influence how people vote. There are now 2.2 billion monthly active Facebook users in the world which means that about 30%, or one in three, of the world population logs into Facebook at least once a month. For users like myself it provides a daily service which is free at point of use, but I appreciate that it has to be paid for somehow and most of Facebook’s revenue is paid for by advertising. Facebook is able to target specific advertising depending on your profile and this is not necessary malicious, indeed it can be useful to the end user because through targeting we get to see things that interest us instead of things that do not. Where the data mining is on questionable ground, and why it has made the news, is because it has used profiles to influence people’s attitudes and in particular to influence their voting choices. I think that this issue will run for some time and we can all wait with anticipation to see what happens next.

Data Protection is currently being much talked about by all businesses in the UK and elsewhere because of the GDPR which comes into force in the European Union on May 25th.  The EU’s data protection laws have long been regarded as a gold standard all over the world. The EU Directive on the protection of personal data and on the free movement of such data was implemented on the 24th of October 1995 when the internet was in its infancy. The implementation of The General Data Protection Regulation will bring the regulations into the modern world and provide individuals with much needed protection. The UK has played a significant role in influencing the new regulations and in getting the whole of Europe to adopt this new data protection. Furthermore, the EU’s data requirements will influence the rest of the world where they are likely to adopt the same ‘gold standard’. It will be essential for anyone in the world to adopt the same standards if they trade or communicate with the EU (including the UK if they leave the EU).

So, what does it all mean to you?

  1. Your consent to hold data must be freely given and you are free to withdraw that consent at any time. The terms of your consent must be clear and cannot be written in complex language or hidden amongst complex terms and conditions.
  2. If there is a security breach you and the data controller must be informed within 72 hours. Companies have to appoint a GDPR data controller and a failure to report within the time frame will result in large fines.
  3. You can request your existing data profile, and this must be supplied as a free digital copy (the current fee of £10 will no longer apply). The report must be detailed and include the various ways that your information is being used.
  4. You have a right to data deletion — the ‘right to be forgotten’ which means that if the original purpose or use of your data has been realised, you can request that the data is totally erased.
  5. You have the right to data portability which means that you can obtain your data and reuse that same data elsewhere if you choose to do so.
  6. Companies are required to design their systems with the proper security protocols in place and if they fail to do so they will be liable to a fine.
  7. Data Protection Officers (DPO) will have to be appointed and the DPO and their department will become the person or persons for you do deal with in the case of your enquiry.

And what does it mean for us?

We are very pleased to report that Interface Financial Planning is already complying with the requirements of GDPR:

  1. For several years all clients have had secure 24/7 access to their data via The Personal Finance Portal and via PaperCloud. Our transparency has been part of our ethos and all clients have continual digital access to their data without charge.
  2. Communications and exchange of documents are completed via our secure client Portal. We do not use unencrypted email for exchange of any personal or sensitive data. For the rare occasion that email must be used we have a secure email exchange portal in place where the receiver has to log in and verify their details in order to read the email. The Portal is easier to use than the secure email facility, so this will usually be the communication method of choice.
  3. Postal communications (old fashioned snail mail) also pose a risk of data loss and this is one of the reasons why we limit the use of postal communications. Where a communication has to be sent by post and that communication contains personal or sensitive data we will use Royal Mail secure mail for delivery.
  4. Our security of data is already of the highest standard and our systems are regularly reviewed to ensure that we are using the best security available. Data security improvements will be implemented as and when they become available and our clients will be kept informed about any improvements.
  5. We aim to inform and educate our clients about data security and make them understand that careless password control at their end could expose their data to malicious or vindictive internet users. Clients are encouraged to send messages and documents securely via the portal and not to use email or postal mail.

We are aware that just one breach of data would undermine our clients’ confidence in our business so that data security is held as one of our highest priorities.

I have tried to make this complicated subject as user friendly as I can and if you would like more information or a more detailed explanation I refer you to The Information Commissioner’s Office (ICO).

I make no apology if this month’s newsletter and blog is rather heavy to read. Protection of your personal data is something that Interface Financial Planning takes very seriously, and we encourage you to do the same. Please take advantage of the secure communication methods that we have put in place.

Leave a Comment