PREPARING FOR GDPR
The countdown has begun to the European General Data Protection Regulation (GDPR). Coming into force on 25 May, this major piece of legislation establishes a new legal framework for the management of personal data. This cross-industry regulation will affect organisations across the UK and EU, and is another reform that financial advisers and product providers alike will have to adapt to alongside MiFID II (the Markets in Financial Instruments Directive II) and IDD (the Insurance Distribution Directive).
Significant work is required to ensure compliance by the May 2018 deadline, and organisations should already be well under way in their preparations.
GDPR AT A GLANCE
GDPR represents the biggest shake-up of data protection laws in 20 years. It is a Europe-wide piece of legislation, applying to all European Union (EU) Member States.
The UK government has confirmed that the decision to leave the EU will not affect organisations’ need to comply.
GDPR makes a number of important changes to our existing framework (currently primarily governed by the Data Protection Act 1998), including:
- Wider scope – applies not only to organisations established in the EU, but also those outside who process certain types of personal data
- Operations – organisations must adopt a privacy by design approach, demanding a comprehensive review and enhancement to all systems, processes, products and services to meet GDPR standards
- Sanctions – tougher enforcement and significantly higher fines of up to €20m or 4% of group turnover
- Wider definition – personal data covers any identifiers relating to a person, including location data, IP addresses and cookies
- Lawful processing – GDPR raises the bar on when organisations can lawfully collect and process personal data
- Consent – new rules on what constitutes consent (in particular, the need for active, not passive consent) and the need to refresh consent for any existing data that does not meet GDPR standards
- Transferring – stricter conditions for when data can be transferred between entities, particularly outside the EU
- Breach notification – new requirements and tighter deadlines to notify both supervisory authorities and affected persons of data breaches
- Subject rights – greater rights for data subjects, including rights of erasure of erroneous data
- Internal governance – requirement for certain organisations to formally appoint a Data Protection Officer, including prescribed duties and responsibilities
- Accountability – a large focus on the need to evidence compliance
WHAT THIS MEANS FOR ADVISERS
GDPR is not simply a question of compliance; it requires organisations to completely transform the way they collect, store, process and share personal data.
The Information Commissioner’s Office (ICO), the UK’s independent authority governing data protection, has issued 12 steps that organisations should take ahead of the deadline (see panel).
Alongside client reporting already required for the FCA, GDPR will have marketing data implications for advisers surrounding how they communicate with their clients, both present and potential. For email communications, firms must have an audit trail proving a double opt-in for marketing communications. This means that the client must initially opt in to receiving emails from a firm and that having an unsubscribe option within the email is no longer enough.
Furthermore, data breaches will carry greater consequences. In the event of a data breach or cyber attack, a firm has 72 hours to report the incident to the ICO and, in most cases, those clients who are affected. Fines can reach up to €20m or 4% of global revenue, whichever is highest, an increase from the current fine of £500,000.
Last year, Intelliflo set up a GDPR working group comprising of representatives from 11 major networks, representing around 2,000 UK advice firms in total. It aims to arrive at a common interpretation of the impact of GDPR on financial advice firms and a best practice approach to implementation that will meet the challenges of the new regulation. The group, which includes GDPR experts from NCC Group and legal firm DAC Beachcroft, has met on three occasions and Rob Walton, Intelliflo’s chief operating officer and chair of the working group, says the clear message from each meeting is that “doing nothing is not an option”.
“The GDPR will affect every business across Europe and the very nature of the financial advice sector means advisers are particularly at risk if they fail to engage with the actions they need to take to comply by the enforcement date in May,” he says.
“To ensure they comply with the regulation, firms must establish a data management policy that balances the rights of the data subject against the firm’s right to meet regulatory requirements or potentially defend a legal claim. It’s not all bad news: segmenting data creates increased business efficiencies and opens up new opportunities to contact clients who you’ve lost touch with, potentially renewing those relationships.
“Training staff so they fully understand the rules around data access and management is also essential, as is ensuring they follow security best practice to mitigate the risk of data falling into the hands of people who have no business seeing it.
“The clock is ticking and those advisers who fail to engage with the demands of the new regulation ahead of May will leave themselves vulnerable to claims that could prove fatal to the long-term health of their businesses, given that the GDPR now allows a firm’s clients to sue them for not complying with the regulation.”
12 STEPS TO PREPARATION
1. Awareness – key people in the organisation should be aware of GDPR and its implications
2. Information held – create an information asset register to fully understand what information you hold, where it came from, how it is stored and who it is shared with
3. Communication – review current privacy notices and plan how you will change them in response to GDPR
4. Individuals’ rights – ensure internal procedures can respond to the new rights of individuals
5. Subject access requests – update procedures to meet new timescales and requirements
6. Lawful basis – identify your lawful basis for processing any data. Document this and update privacy notices to explain it
7. Consent – review how you seek, record and manage consent. Refresh existing consent if it does not meet GDPR standards
8. Children – understand whether you need new systems to verify individuals’ age or obtain parental or guardian consent
9. Data breaches – establish procedures to effectively detect, report and investigate breaches
10. Protection by design – familiarise yourself with the ICO’s guidance on privacy impact assessments and article 29
11. Data Protection Officer (DPO) – designate someone to take responsibility for GDPR compliance and how they will sit within the organisation. Establish whether a DPO must be formally appointed
12. International – if you process data across borders, determine your lead supervisory authority