The General Data Protection Regulation (GDPR), which applies in the UK and across the rest of the EU from 25th May 2018, impacts every business sector in different ways. Although all of the data protection principles are important, there are several key areas to which independent financial advisers will need to pay particular attention.
1. Lawful basis of processing
Every data controller (the entity that defines the purposes and means of data processing) will have to make sure that there is a lawful basis for processing and that all the personal data held in any of your organisation’s databases (including employee data, current customer data and marketing data, including business contact details) has a clearly defined lawful basis for being there – otherwise it needs to be removed. Data retention schedules, which set out how long different types of personal information can lawfully be retained, are essential and need to be effective.
2. Controller–processor relationships
Independent financial advisers regularly share their clients’ personal information with financial institutions. Under the GDPR, you will have to make your clients aware of this and you will also need a contract in place with the financial institution that allows the financial institution to process that data – because it will be illegal for any entity to process data on behalf of a data controller other than under the terms of a data processing contract.
3. Automated processing
Many financial institutions use automated processing tools to determine creditworthiness and other issues. The GDPR imposes specific obligations on controllers and processors with regard to such processing.
4. Data security
Personal data has to be protected and breaches have to be reported to the supervisory authority (the Information Commissioner’s Office (ICO) in the UK) within 72 hours. Reporting a breach is likely to trigger an investigation, which could uncover many areas of non-compliance. Regulatory fines will take all those areas into account.
5. Privacy notices
Finally, independent financial advisers need to be aware of the requirements around privacy notices and have in place working processes that allow data subjects to exercise their rights: the right of access to their data as well as the new rights of data portability and data erasure (the ‘right to be forgotten’). Although neither of these new rights are absolute rights, they are likely to be contentious.
Unlike the Data Protection Act (DPA), the GDPR has real teeth. Data subjects can take court action for breach of their rights – and there is no ceiling on the compensation that can be awarded. Regulators are empowered to levy fines of up to 4% of annual turnover or €20 million (£17.9 million), whichever is greater, and are legally required to make sure these fines are “dissuasive”.
There’s less than a year left to get prepared. You have to be GDPR-compliant by 25th May 2018 – not simply starting to comply. Fines may be levied on regulatory breaches identified at any time from 25th May 2018 onwards.