Most advisors know you’re supposed to destroy old client records. But under the new Reg S-P amendments, the rules are tighter—and they extend to your vendors, too.
Let’s talk about what’s changed and how to dispose of sensitive data the right way.
What’s New in the Disposal Rule?
- Covers All NPI: That’s “nonpublic personal information”—and it includes client and prospect data, even if it came from another firm.
- Digital Data Counts: Cloud storage, backups, and email archives all fall under disposal. If you’re keeping it, you need a reason.
- Vendor Responsibility: If vendors store your data, you’re responsible for how they dispose of it.
- Written Policy Required: You need a formal, documented disposal plan that holds up during SEC exams.
What Should Your Policy Include?
Your data disposal policy should cover:
- What data is subject to disposal (client files, logs, emails, etc.)
- Methods used (shredding, digital wiping, secure deletion software)
- Who is responsible for executing disposal
- Retention timelines by data type
The goal? Clear, documented, repeatable processes.
Practical Tips
- Track Where Your Data Lives: Know what systems, folders, and vendors hold your NPI.
- Review Contracts: Make sure vendors agree to your disposal requirements.
- Train Staff: Everyone should understand what data must be disposed—and how.
- Keep Logs: Maintain records of when data was disposed, how it was destroyed, and by whom.
Why This Matters
Outdated data is a liability. If you don’t need it—and you don’t dispose of it properly—you’re at risk of a breach, client trust issues, or a failed audit.
Treat data disposal with the same seriousness as data protection. Because cleaning up securely is just as important as storing wisely.
