It could be that you want to disable the collection of IP addresses for those who visit your site. Or disable cookies so clients don’t place information on the site that they might want you to expunge later. Otherwise you might need a banner explaining that you are indeed using cookies and that the users can opt out of them. Banners also link users to your privacy policies—which tell users how you are using data they have submitted. If you are using a service provider (such as Squarespace) you must check to see what their privacy policies are as well.
Of course, advisors might reasonably ask: How much identity can you glean from an IP address, really? Some addresses, after all, are mapped to lakes in the middle of Kansas. McDonald says it’s a good question, but says even those IP addresses allow snoops to weed out information on people.
“There are third party softwares out there that can attach that IP address to more information as that IP address returns to your site,” McDonald said in the interview with Financial Advisor. “What is this visitor particularly interested in? Eventually if that person with that IP address happens upon a form and gives you a little bit of information, answers some survey information, there are third-party tools that can connect you to more and more information.”
Under the new regulation, you must also be able to notify your EU clients if there has been a data breach. And you must have a method in place for getting rid of somebody’s private information permanently if they contact you and ask you to.
Under the regulation, people also have the right to know what kind of data you are collecting on them and let them know they can opt out. You must also let them know if you are transferring their data, and who it's being sent to outside the EU.
“You might be thinking,” McDonald wrote on Nerd’s Eye View, “that all this data tracking and security isn’t ultimately your problem as you’re a financial advisor, not directly collecting and storing online client information on your own servers or in your own office. It’s all stored on third-party data servers, and it’s the problem of that vendor to maintain the security of the data on their servers. That may be true, but the GDPR still sees it as your responsibility, because you’re the one requesting/collecting the information.”
Will some advisors overreact and simply block European customers? That would be a mistake, says Mark Trousdale, chief marketing officer at InvestCloud, a software design and engineering company. GDPR doesn’t mean you can’t collect information on people, he says. It just means knowing about the data you collect on individuals. So firms simply need a strategy for compliance.
“Anecdotally, I've heard firms talk about backing out of Europe,” says Trousdale (though he stresses they are not his company’s clients). “But for firms without a data strategy, it may seem easier to simply overreact. Again, I think this is shortsighted, not to mention, it's missing the point of GDPR for firms that collect data on individuals, which is that robust data management is a good thing that should be implemented immediately.”