The General Data Protection Regulation (GDPR)
- The GDPR took effect on 25th May 2018, replacing the Data Protection Act 1998.
- The GDPR applies irrespective of the UK’s decision to leave the EU.
- GDPR applies to all business operating in the UK, this includes all directly authorised intermediary firms.
- The GDPR goes beyond the DPA to provide further protection to personal and sensitive personal data.
The Information Commissioner’s Office (ICO) produced a document to help firms as they prepare for the changes ‘Preparing for the General Data Protection Regulation (GDPR)’. You can read the full ICO document here.
What is personal data?
The GDPR Regulation defines personal data as "any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person".1
Key points to consider
There are a number of key points which need to be considered as follows:
- The GDPR refers to consent and explicit consent. Under the GDPR there will be some form of clear affirmation required from an individual, and things such as pre-ticked boxes will not constitute consent. When consent is obtained, you will need to keep a record of this. The data subject must be fully informed of their right to withdraw consent at any time. If of course you already obtain consent in a manner that meets the new requirements under the GDPR then there will be no problem, however it is necessary to be sure of this. If your current consent does not meet the new standards, you will need to go through the process of gaining consent again.
- Under GDPR individuals will have certain rights to obtain confirmation that their data is being processed correctly and to have access to all personal data that is held about them.
- GDPR states that ‘every reasonable step’ must be taken to ensure the accuracy of data held and that inaccurate data is erased or rectified without delay.
- There will also be a right to have the information ‘forgotten’ – there are more details provided in the overview document and it is crucial that firms have a process to follow in case this is requested. The ICO does state that “data need not be erased upon consumer request if there is a “lawful basis” for it be retained”2. The GDPR wording states that the right to be forgotten does not apply if keeping the data is necessary "for the establishment, exercise or defence of legal claims". This is particularly pertinent to financial advisers given that a client could make a complaint relating to advice given several years previously and had all personal data been deleted this could pose a serious issue in terms of being able to defend the advice given at the time. Presently, there is no definition as to what is considered a ‘lawful basis’ and it is likely that had a client asked for all data to be deleted and this was not done, you would be required to provide a comprehensive justification as to why you did not.
- The GDPR will introduce a duty on all organisations to report certain types of data breaches to the relevant supervisory authorities and in some cases to the individuals themselves. For example, if personal details of a client’s records were inappropriately accessed due to a lack of internal controls. Clearly if suitable processes and policies are in place the risk of this will be significantly reduced.
These are just some of the crucial points to consider and understand, before building them into their current activities. However, it is essential that you familiarise yourself with the ICO checklist designed to help firms ensure they are fully compliant with the requirements of GDPR and importantly, how it may affect them specifically. As a general rule, protecting and attributing value to your clients’ personal, and often sensitive, data as well as only sharing it where relevant and necessary is of great importance and should be best practice anyway.
Cyber attacks are on the rise and every business should take steps to protect themselves against such attacks. Not only could a successful attack leave a business unable to function for a period of time, but there is also a risk of legal action being taken by those effected and the reputational damage it could cause too. The GDPR brings new obligations to firms in terms of reporting data breaches in regards to notifying the supervisory authority (the ICO in the UK) and the individual(s) whose data may have been breached. If you fail to notify relevant parties about a minor breach when you were supposed to, this will result in a fine of up to €10 million or 2% of total global annual turnover (whichever is higher), and if you fail to notify relevant parties about a major breach, this results in a fine up to €20 million or 4% of total global annual turnover (whichever is higher). Further details around this can be found in Article 33 and 34 of the GDPR.
1 Source: General Data Protection Regulation, Chapter 1, Article 4 https://gdpr-info.eu/art-4-gdpr/
2 Source: General Data Protection Regulation, Chapter 3, Article 17 https://gdpr-info.eu/art-17-gdpr/