What do we know about GDPR?
- The GDPR will apply in the UK from 25th May 2018 and will replace the current Data Protection Act 1998.
- The government has confirmed that the GDPR will take effect irrespective of UK’s decision to leave the EU.
- GDPR will apply to all business operating in the UK, this includes all directly authorised intermediary firms.
- If you are currently subject to the DPA, it is extremely likely that you will also be subject to the GDPR.
The GDPR will go beyond the DPA to provide further protection to personal and sensitive personal data, and although firms may already adhere to some of the GDPR’s requirements which can be considered ‘common-sense’ or ‘best practice’, it is extremely likely that firms will need to undertake changes in order to be completely in line with the new rules.
The Information Commissioner’s Office (ICO) have produced a document to help firms as they prepare for the changes ‘Preparing for the General Data Protection Regulation (GDPR)’, which lists 12 steps for immediate action. You can read the full ICO document here.
We strongly recommend that firms review these steps as a starting point to see what action may be required ahead of the new rules being introduced. The FCA have not yet provided firms with guidance regarding preparing for GDPR. We will keep you informed if they do provide guidance.
What is personal data?
The GDPR Regulation defines personal data as "any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person".1
Key points to consider
There are a number of key points which need to be considered as follows:
- The GDPR refers to consent and explicit consent. Under the GDPR there will be some form of clear affirmation required from an individual, and things such as pre-ticked boxes will not constitute consent. When consent is obtained, you will need to keep a record of this. The data subject must be fully informed of their right to withdraw consent at any time. If of course you already obtain consent in a manner that meets the new requirements under the GDPR then there will be no problem, however it is necessary to be sure of this. If your current consent does not meet the new standards, you will need to go through the process of gaining consent again.
- Under GDPR individuals will have certain rights to obtain confirmation that their data is being processed correctly and to have access to all personal data that is held about them.
- GDPR states that ‘every reasonable step’ must be taken to ensure the accuracy of data held and that inaccurate data is erased or rectified without delay.
- There will also be a right to have the information ‘forgotten’ – there are more details provided in the overview document and it is crucial that firms have a process to follow in case this is requested. The ICO does state that “data need not be erased upon consumer request if there is a “lawful basis” for it be retained”2. The GDPR wording states that the right to be forgotten does not apply if keeping the data is necessary "for the establishment, exercise or defence of legal claims". This is particularly pertinent to financial advisers given that a client could make a complaint relating to advice given several years previously and had all personal data been deleted this could pose a serious issue in terms of being able to defend the advice given at the time. Presently, there is no definition as to what is considered a ‘lawful basis’ and it is likely that had a client asked for all data to be deleted and this was not done, you would be required to provide a comprehensive justification as to why you did not.
- The GDPR will introduce a duty on all organisations to report certain types of data breaches to the relevant supervisory authorities and in some cases to the individuals themselves. For example, if personal details of a client’s records were inappropriately accessed due to a lack of internal controls. Clearly if suitable processes and policies are in place the risk of this will be significantly reduced.
These are just some of the crucial points to consider and understand, before building them into their current activities. However, it is essential that you familiarise yourself with the ICO checklist designed to help firms ensure they are fully compliant with the requirements of GDPR and importantly, how it may affect them specifically. As a general rule, protecting and attributing value to your clients’ personal, and often sensitive, data as well as only sharing it where relevant and necessary is of great importance and should be best practice anyway.
Cyber attacks are on the rise and every business should take steps to protect themselves against such attacks. Not only could a successful attack leave a business unable to function for a period of time, but there is also a risk of legal action being taken by those effected and the reputational damage it could cause too. The GDPR brings new oblifations to firms in terms of reporting data breaches in regards to notifying the supervisory authority (the ICO in the UK) and the individual(s) whose data may have been breached. If you fail to notify relevant parties about a minor breach when you were supposed to, this will result in a fine of up to €10 million or 2% of total global annual turnover (whichever is higher), and if you fail to notify relevant parties about a major breach, this results in a fine up to €20 million or 4% of total global annual turnover (whichever is higher). Further details around this can be found in Article 33 and 34 of the GDPR.
1 Source: General Data Protection Regulation, Chapter 1, Article 4 https://gdpr-info.eu/art-4-gdpr/
2 Source: General Data Protection Regulation, Chapter 3, Article 17 https://gdpr-info.eu/art-17-gdpr/