Back in the GDPR...
Mark Greenwood, Group Regulatory Policy Manager, The SimplyBiz Group
There is currently very little that we know with any certainty about what to expect from the UK’s Brexit negotiations. Hard or soft? Single market or free trade area? Bad deal or no deal? At the moment, there are an awful lot of questions about our upcoming divorce from the European Union, with very few answers available. In fact, I imagine that the Brexit lawyers are currently daydreaming of the halcyon days of handling actual divorce cases when all they had to worry about was who got custody of the dog and Aunt Edith’s crockery set!
However, in financial services we do have a certain advantage in some areas as there are a number of pieces of European legislation heading our way that we do know for sure will be implemented in the next few years. These include MiFID II, the Packaged Retail and Insurance-based Investment Products (PRIIPs), the Insurance Distribution Directive (IDD) and, the issue predominantly in the spotlight in recent months, General Data Protection Regulation (GDPR).
GDPR is not a financial services specific piece of legislation, it will apply to every business operating in the UK, including advisory firms, in the same way as the existing Data Protection Act. Whilst many of the requirements are based upon common-sense practices which you are likely to already have in place, there are also some requirements around operations and documentation of processes which will be brand new to the majority of firms.
So, what will be the biggest issues that advisers need to consider?
- Formal processes must be put in place to ensure the quality of data. It makes sense for business, as well as data security reasons, to ensure that the data you hold is as accurate as possible. However, GDPR asks that ‘every reasonable step’ is taken to ensure the accuracy of data held and that inaccurate data is erased or rectified without delay.
- You will be liable for ensuring that your entire supply chain adheres to GDPR requirements. When purchasing and sharing data (for example, if you pass data to a third party to conduct a mailing), you are responsible for undertaking due diligence to ensure that every part of your supply chain meets the GDPR rules.
- The rules are more stringent regarding data subject consent. The existing Data Protection Act does state that consent to use their details must be given by the data subject, however, the GDPR will put a higher burden upon establishing the validity of the data and the data subject must be fully informed of their right to withdraw consent to use their details.
- The Information Commissioner’s Office (ICO) must be informed if a data breach occurs. Again, not a big change here for most firms, as it is already recommended that any serious breaches should be reported. The GDPR will make this mandatory, and introduce a new process and timeframes.
So far, so straightforward? Rob Walton states, quite correctly, that client information must be completely deleted from your records, rather than just archived, if the client makes that request. On first glance, that seems perfectly reasonable; nobody should have the right to hang onto your personal data if you don’t want them to have it. However, in an increasingly litigious society, with some complaints received by advisers dating back many years, how can you defend yourself against claims if you have deleted the details of the client and the case?
Luckily, the Information Commissioner’s Office has inserted a few small, but very powerful, words into its summary document which suggest that it might understand that this will be a complex rule for some types of business to observe; that data need not be erased upon consumer request if there is a “lawful basis” for it be retained. Please do remain mindful, however, that you may be called upon to provide transparent and comprehensive justification of this ‘lawful basis’, either by a client or by the regulator, so needs to form part of your preparation.
So, although the FCA are yet to issue any formal guidance, it is highly unlikely that it will deviate greatly from the framework set out by the ICO so it would be fruitless, and ultimately more time consuming, to defer your GDPR preparations. Just think, it could be worse; you could be a Brexit negotiator!
The ICO have provided a useful checklist to help firms ensure they are fully compliant with the requirements of GDPR, you can find it on its website at www.ico.org.uk
The Information Commissioner’s Office have issued a twelve step plan for businesses to take now in preparation to be GDPR compliance before the 25th of May 2018.
- Awareness: You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.
- Information you hold: You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
- Communicating privacy information: You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
- Individuals’ rights: You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
- Subject access requests: You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
- Lawful basis for processing personal data: You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
- Consent: You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
- Data breaches: You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
- Children: You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
- Data Protection by Design and Data Protection Impact Assessments: You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.
- Data Protection Officers: You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.
- International: If your organisation operates in more than one EU member state (i.e. you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.