Back in the GDPR... Back in the GDPR...

14 Sep 2017

Mark Greenwood, Group Regulatory Policy Manager, The SimplyBiz Group

There is currently very little that we know with any certainty about what to expect from the UK’s Brexit negotiations.  Hard or soft? Single market or free trade area? Bad deal or no deal? At the moment, there are an awful lot of questions about our upcoming divorce from the European Union, with very few answers available.   In fact, I imagine that the Brexit lawyers are currently daydreaming of the halcyon days of handling actual divorce cases when all they had to worry about was who got custody of the dog and Aunt Edith’s crockery set! 

However, in financial services we do have a certain advantage in some areas as there are a number of pieces of European legislation heading our way that we do know for sure will be implemented in the next few years.  These include MiFID II, the Packaged Retail and Insurance-based Investment Products (PRIIPs), the Insurance Distribution Directive (IDD) and, the issue predominantly in the spotlight in recent months, General Data Protection Regulation (GDPR).

GDPR is not a financial services specific piece of legislation, it will apply to every business operating in the UK, including advisory firms, in the same way as the existing Data Protection Act.  Whilst many of the requirements are based upon common-sense practices which you are likely to already have in place, there are also some requirements around operations and documentation of processes which will be brand new to the majority of firms.  

So, what will be the biggest issues that advisers need to consider? 

  • Formal processes must be put in place to ensure the quality of data.  It makes sense for business, as well as data security reasons, to ensure that the data you hold is as accurate as possible.  However, GDPR asks that ‘every reasonable step’ is taken to ensure the accuracy of data held and that inaccurate data is erased or rectified without delay.
  • You will be liable for ensuring that your entire supply chain adheres to GDPR requirements.  When purchasing and sharing data (for example, if you pass data to a third party to conduct a mailing), you are responsible for undertaking due diligence to ensure that every part of your supply chain meets the GDPR rules. 
  • The rules are more stringent regarding data subject consent.  The existing Data Protection Act does state that consent to use their details must be given by the data subject, however, the GDPR will put a higher burden upon establishing the validity of the data and the data subject must be fully informed of their right to withdraw consent to use their details.
  • The Information Commissioner’s Office (ICO) must be informed if a data breach occurs.  Again, not a big change here for most firms, as it is already recommended that any serious breaches should be reported.  The GDPR will make this mandatory, and introduce a new process and timeframes.

So far, so straightforward? Rob Walton states, quite correctly, that client information must be completely deleted from your records, rather than just archived, if the client makes that request.  On first glance, that seems perfectly reasonable; nobody should have the right to hang onto your personal data if you don’t want them to have it.  However, in an increasingly litigious society, with some complaints received by advisers dating back many years, how can you defend yourself against claims if you have deleted the details of the client and the case? 

Luckily, the Information Commissioner’s Office has inserted a few small, but very powerful, words into its summary document which suggest that it might understand that this will be a complex rule for some types of business to observe; that data need not be erased upon consumer request if there is a “lawful basis” for it be retained.  Please do remain mindful, however, that you may be called upon to provide transparent and comprehensive justification of this ‘lawful basis’, either by a client or by the regulator, so needs to form part of your preparation. 

So, although the FCA are yet to issue any formal guidance, it is highly unlikely that it will deviate greatly from the framework set out by the ICO so it would be fruitless, and ultimately more time consuming, to defer your GDPR preparations.  Just think, it could be worse; you could be a Brexit negotiator! 

The ICO have provided a useful checklist to help firms ensure they are fully compliant with the requirements of GDPR, you can find it on its website at www.ico.org.uk

The Information Commissioner’s Office have issued a twelve step plan for businesses to take now in preparation to be GDPR compliance before the 25th of May 2018.

  1. Awareness:  You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.
  2. Information you hold:  You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
  3. Communicating privacy information:  You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
  4. Individuals’ rights: You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
  5. Subject access requests: You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
  6. Lawful basis for processing personal data: You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
  7. Consent: You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard. 
  8. Data breaches: You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
  9.  Children:  You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
  10. Data Protection by Design and Data Protection Impact Assessments: You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.
  11. Data Protection Officers: You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.
  12. International: If your organisation operates in more than one EU member state (i.e. you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.

Testimonials

"I would recommend that anyone contemplating the journey towards direct authorisation enlists the assistance of SimplyBiz. They are veterans of the direct authorisation application process and have succeeded thousands of times at taking firms through to successful authorisation. SimplyBiz made the whole application process less stressful and easier to manage, particularly when it came to corresponding with the Regulator.

All of the staff at SimplyBiz that I have had the pleasure of coming into contact with appear to be very highly trained and good at what they do. The overall impression is that they have the right people, with the right skills, in the right job, that enables them to get the right result. It gives me great pleasure to be associated with such a forward looking, pioneering and progressive organization.” 

Clive Webb 
CW Capital Management

Read More

Latest News

The vulnerability issue

December 12, 2017

Vital as it is to demonstrate compliance with the regulations on protecting vulnerable clients, writes Gary Kershaw, the FCA's guidelines really only formalise the warning signs advisers should be adept at reading.

Read more >

"Trouble finding an apprentice? Here's why"

December 06, 2017

Last week, we were informed of another stumbling block on the government’s disaster-filled path towards putting a viable apprenticeship funding plan in place.  

Read more >

"Enthusiasm, courage and goals lead to success"

November 27, 2017

By the time I left school at the age of 15, with no qualifications, I had been called a few choice names by my teachers and received many predictions about where my future lay.

Read more >

Staffcare relaunches as Zest and introduces cutting-edge employee benefits technology

November 22, 2017

Staffcare, one of the leading pioneers of the employee benefits market, today announced that it is relaunching its business as Zest and, simultaneously, launching its new benefits technology platform.

Read more >