GDPR - Should you be worried?

GDPR what is it?

The EU have got together, Britain included and agreed over the last 4 years to implement new regulation to protect EU citizens’ personal data. The legislation is known as the General Data Protection Regulation … GDPR for short. It was approved in April 2016 and has a two-year transition period which means time for implementation is running out.

The enforcement date i.e. the date upon which you as a business must comply is 25 ^th May 2018. It is going to replace the Data Protection Act and despite Brexit the UK government has said it will adopt the legislation [1] as we had a key hand in drafting it and if you want to do business with any EU citizen you need to comply whether we’re in the EU or not.

When and why should I care?

The Data Protection Act 1998 put a lot of onus on Data Controllers to take responsibility for the personal data they hold. The GDPR tightens these regulations but also puts much greater onus on Data Processors to maintain records of personal data and processing activities. It also makes both Data Processors and Data Controllers liable for incorrect handling of personal data and the penalties are enormous.

Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million [2] . So not doing anything is probably not a wise decision.

As a financial adviser what are the key things I should be thinking about?

There are 12 key steps [3] for any business to consider which are as follows –

Step 1: Awareness 

Make sure key people in your organisation are aware that the law is changing. Get a team together involving compliance, HR and  key decision makers and look at what needs to be done for May 2018.

Step 2: Document the personal data you hold

Find out what personal data you hold, where it came from, where it’s stored and any organisations you share it with. Obvious examples would be your back office (desktop or in the cloud), platforms and providers, etc.

One of the key principles is that any data you store should be relevant and accurate. You need a process to keep it up to date and to ensure it is protected and most importantly you need to document this as it will help you demonstrate compliance.

Step 3: Communicating privacy information

Many companies rely on the one size fits all opt-out “Do you give us permission to hold and process personal data on your behalf?” If the client answers no, in most cases the organisation will decline to do business with that individual.

For GDPR you will need to go much further and explain what data you hold, how long you hold it for and for what purposes you are going to use the data and make individuals aware of their right to complain to the ICO if they think there is a problem with the way you are handling their data. The GDPR requires the information to be provided in concise, easy to understand and clear language.

Step 4: Individuals’ rights

A key new right is the right of data portability. Clients have the right to request the data you hold as a data controller (of which you are almost certainly one). You need to provide their personal data in a structured commonly used and machine-readable form (probably CSV, Excel or XML). It would be a good idea to check with your back-office supplier and any other systems that you use that you can get access to client data in a format reliably and easily. Personal data could well be stored on attached documents and to comply you will also need to make these available for the client in a suitable format such as PDF.

Step 5: Subject access requests

Previously you had 40 days and could charge £10 for a subject access request. Now in almost all cases they’re free it’s likely the number could increase and you have only one month to comply. You should carefully consider how you identify the person making the access request is legally entitled to the data as increasing the access to personal data could easily be compromised.

Step 6: Lawful basis for processing personal data

The relevance i.e. need for processing personal data should be documented in your privacy notice.

Step 7: Consent

Consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in i.e. it cannot be inferred from silence, pre-ticked boxes or inactivity. It must also be separate from other terms and conditions, and you will need to have simple ways for people to withdraw consent.

You are not required to refresh all existing DPA consents in preparation for the GDPR, but if you rely on individuals’ consent to process their data, make sure it will meet the GDPR standard on being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn.

Step 8: Children

Many advisers will hold personal data on behalf of their clients’ children. The GDPR sets the age when a child can give their own consent to processing their data at 16. If a child is younger then you will need to get consent from a person holding ‘parental responsibility’. 

Step 9: Data breaches

You need to have procedures in place to detect data breaches and in most cases, will need to report these to the ICO and the individuals affected. Failure to notify can result in a fine in addition to the fine for the breach itself.

As a data controller, you will need to approve the third-party systems you use for storing personal data and make sure they have adequate controls and procedures in place for detecting and reporting data breaches regarding your personal data.

Step 10: Data Protection by Design and Data Protection Impact Assessments

Data you generally hold is of a significant interest to fraudsters and much of this personal data is shared via email. There is a legal requirement to carry out a privacy impact assessment where there is processing of highly sensitive data and if you’re passing this information via email you’re going to have to address this. Stop sending information via email and implement a secure portal to communicate securely with your clients and share documents and other key financial information.

Step 11: Data Protection Officer

You need to appoint someone in your organisation, or an external adviser, who has the knowledge, support and authority to take responsibility for your data protection compliance. 

Step 12: International

Probably not relevant to most adviser firms but if you do operate out of more than one EU member state then you need to think about where the lead authority sits. If you do you’re probably going to have more headaches than most of us from Brexit – so good luck with this.

Conclusions

Please regularly review your Data Protection framework.

The key principle under GDPR is that data protection isn’t a one-off responsibility. Relevant protection systems are improving all the time whilst facing ever increasing risks of cyber-attack. You need to be able to demonstrate that you have a continuous program of review of your systems in place to ensure you are doing everything reasonably to be expected to avoid any potential data breaches. If you don’t have the records to prove it, then you face considerable reputational and financial damage.

And think very seriously before you email.

Email is probably your greatest risk followed by inadequate protection of personal data on some back-office systems who may not be using up to date encryption, check with your supplier and implement secure messaging as a minimum requirement for GDPR.

For more information on GDPR and how it will impact your organisation, we recommend the following resources –

ICO for Organisations: Data Protection Reform

https://ico.org.uk/for-organisations/data-protection-reform/

EU GDPR. Org

http://www.eugdpr.org/eugdpr.org.html

GDPR Roadshow Events 2018

• London - 23rd January
  
• Birmingham - 24th January
  
• Glasgow - 1st February
  
• Bristol - 8th February
  
• Leeds - 15th February
  

[1] The GDPR will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR. Information Commissioners Office ICO -

https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/introduction/

[2] This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting an impact assessment. http://www.eugdpr.org/key-changes.html

[3] These steps follow the format proposed in the ICO publication called 12 steps to take now

https://ico.org.uk/media/for-organisations/documents/1624219/preparing-for-the-gdpr-12-steps.pdf