This article outlines the features of FinPlan available to support your firm in meeting it’s GDPR obligations. Please note that this guide is for informational purposes only, and should not be relied upon as legal advice. We encourage you to work with your legal team and other professionals to determine how GDPR might affect your organisation.
Within the context of GDPR, you (the adviser firm) are the Data Controller, your clients are the Data Subjects and we (Bluecoat Software) act as one of your Data Processors.
FinPlan provides a secure operational environment in-which to hold and process your business and client data. Details of the security infrastructure can be found in this article Data Security Guide.
The Client Portal should be used for all of your client communications as it provides the end-to-end security that standard email cannot. You can find details of how to activate your clients for the Portal in this article Client Portal.
Client Consent Recording
Within GDPR you need to evidence explicit consent from your clients for the processing activities that you undertake using their data.
You are able to record against each client the consents that you have obtained and associate the supporting document(s) with each consent. The date at which the consent was obtained is recorded, along with any notes or commentary required.
Should consent be withdrawn at any time this can also be recorded so that a clear audit trail is maintained of when the required consents were in place.
FinPlan enables you to search and report on specific consents that are in place (or are missing) so that, for example, you can target a mailshot only at those who have expressly granted their consent. You will also be able to monitor which clients do not yet have the required consents in place.
FinPlan will provide a pop-up warning, where a processing activity is undertaken without consent currently in place (such as passing details to a third-party).
GDPR introduces a ‘right to be forgotten’ which means that all client data (including documents and emails relating to the client) must be deleted on request. All data should also be deleted ‘when it is no longer required’. The compliance requirement to maintain accurate records spanning several years takes precedence over both of these requirements. It will be necessary, however, to delete the data once this time-period has expired.
FinPlan provides a report (Via View->Bulk Delete Clients) to identify clients that are candidates for deletion in that they do not have currently active policies and have generated no enquiries or granted any new processing consents within the specified time-frame (typically 7 years). These can be used to populate a delete list for processing.
A ‘Recycle’ bin provides a repository for deleted client and policy records and any emails or documents deleted. It is possible to restore items that have been added to the ‘Recycle’ bin, however they will not appear in any other part of the system once deleted.
‘Company Managers’ have the ability to perform a permanent deletion. This will delete the selected items in a non-recoverable, non-reversible fashion. It will not be possible for Bluecoat Software to access or recover this data. All such deletions are audited so that a deletion report is available of what was deleted, the user who performed the action and the date and time it took place.
Client Access Restriction & Restricted Processing
It is possible to stop any “processing” of a client’s records. This leaves a read-only copy of the details available within the system, however access to the details are audited and a specific reason for access is required to view the details. This facility ensures that if client consent for processing is withdrawn you can still deal with enquiries relating to their records whilst ensuring no changes can be made.
The Client Access Restrictions in FinPlan have been enhanced to provide the user a defined access to specific clients.
This means that it is possible to define which specific users have access to any specific client. These permissions override any existing trust relationships in place so that, for example, staff member’s records can be restricted to a specific adviser or a specific client’s details can be made accessible to only one adviser and one administrator in the firm.
Client Data Export
GDPR provides a right for Data Subjects (your clients) to receive a copy of all of the data you hold on them. Bluecoat Software offers a service to extract and collate all of the requested client data available within FinPlan. This packages the data in an Excel spreadsheet, along with any associated emails and documents. The data is encrypted and made available for download via a secure web-link.