GDPR

GDPR what is it?

The EU have got together, Britain included and agreed over the last 4 years to implement new regulation to protect EU citizens’ personal data. The legislation is known as the General Data Protection Regulation … GDPR for short.

It was approved in April 2016 and has a two-year transition period which means time for implementation is running out.

The enforcement date i.e. the date upon which you as a business must comply is 25th May 2018. It is going to replace the Data Protection Act and despite Brexit the UK government has said it will adopt the legislation[1] as UK had a key hand in drafting it and if you want to do business with any EU citizen you need to comply whether we’re in the EU or not.

JOURNEY TO COME

WHY SHOULD I CARE?

The GDPR tightens these regulations but also puts much greater onus on Data Processors to maintain records of personal data and processing activities.

It also makes both Data Processors and Data Controllers liable

for incorrect handling of personal data and the penalties are enormous.

Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million[2].

So not doing anything is probably not a wise decision.

01

Individuals

It puts individuals back in control of their personal data

Customers and employees have more power to control how businesses use their data. You could be required to report on, move or dispose of personal data if requested and you must have the capabilities to do this. Your options for using personal data are restricted.

02

Data must be easily portable and forgettable

You must be able to provide individuals with their personal data in a structured, commonly used and machine readable form. Your systems and processes will have to let you truly ‘forget and delete’ data upon request from the individuals including long term archives.

03

How you use data will be more transparent

The rules on consent are getting tougher, and individuals can withdraw consent at any time. You’ll be required to articulate all of the ways in which you use personal data, and make it clear to individuals what their data is being used for and who you have shared it with.

04

Third parties could put you at risk

You will remain responsible for individuals’ personal data throughout the entire data lifecycle. You will have to assure that data you pass to third parties is handled in a manner compliant with GDPR.

05

Fines are getting bigger, and the timelines are getting shorter

Fines for non-compliance can be as severe as 4% of annual global turnover or 20m EUR – whichever is higher, enforceable from May 2018. You will be under legal obligation to notify data protection authorities within 72 hours of a data breach, and individuals without delay. You will have to keep records of your data processing activities, undertake privacy impact assessments and appoint a Data Protection Officer (DPO).

Current - Clients

Current - Clients

In short, this means that people whose email addresses you have, must have clicked to suggest that they are happy to hear from you, like they do currently, but then further opt in to receive communication from a company upon receipt of a confirmation email

It will only take one complaint to land you in hot water.  If you can’t prove that the disgruntled recipient of your marketing efforts has opted in to your correspondence, or that the other recipients of your emails have, too, then you face the prospect of a hefty fine. It only takes one non-compliant record, though – the subsequent penalty is based on the entire organisation

Under current data protection rules, malpractice can result in a fine of up to £500,000. Under GDPR, the upper limits of the fines imposed will be €20,000,000 or four percent of global revenue, whichever is highest.

We don’t know for certain, but do you really want to try and find out?

You will need an audit trail showing that your universe of contacts has consented to hearing from you.

This audit trail will need to be time stamped so that you can show when people gave permission for you to contact them by email

Beyond that, you will also need to provide people with the right to be forgotten.

This goes beyond the existing ‘do not contact’ demarcation in your CRM and means that when requested, you will have to entirely delete that contact and their personal details from your system

STEPS

Awareness

Make sure key people in your organisation are aware that the law is changing. Get a team together involving compliance, HR and key decision makers and look at what needs to be done for May 2018.

Step 1:

Step 2:

Document the personal data you hold

Find out what personal data you hold, where it came from, where it’s stored and any organisations you share it with. Obvious examples would be your back office (desktop or in the cloud), platforms and providers, etc.

One of the key principles is that any data you store should be relevant and accurate.

You need a process to keep it up to date and to ensure it is protected and most importantly you need to document this as it will help you demonstrate compliance.

STEPS

Step 3:

Communicating privacy information

Many companies rely on the one size fits all opt-out “Do you give us permission to hold and process personal data on your behalf?” If the client answers no, in most cases the organisation will decline to do business with that individual.

For GDPR you will need to go much further and explain what data you hold, how long you hold it for and for what purposes you are going to use the data and make individuals aware of their right to complain to the ICO if they think there is a problem with the way you are handling their data. The GDPR requires the information to be provided in concise, easy to understand and clear language.

Individuals’ rights

Step 4:

A key new right is the right of data portability.

Clients have the right to request the data you hold as a data controller .

You need to provide their personal data in a structured commonly used and machine-readable form (probably CSV, Excel or XML).

It would be a good idea to check with your back-office supplier and any other systems that you use that you can get access to client data in a format reliably and easily.

Personal data could well be stored on attached documents and to comply you will also need to make these available for the client in a suitable format such as PDF.

STEPS

Step 5:

Subject access requests

Previously you had 40 days and could charge £10 for a subject access request.

Now in almost all cases they’re free it’s likely the number could increase and you have only one month to comply

You should carefully consider how you identify the person making the access request is legally entitled to the data as increasing the access to personal data could easily be compromised.

Lawful basis for processing personal data

The relevance i.e. need for processing personal data should be documented in your privacy notice.

Step 6:

STEPS

Step 7

Consent

Consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in i.e. it cannot be inferred from silence, pre-ticked boxes or inactivity.

It must also be separate from other terms and conditions, and you will need to have simple ways for people to withdraw consent.

Step 8

Children

Many advisers will hold personal data on behalf of their clients’ children.

The GDPR sets the age when a child can give their own consent to processing their data at 16.

If a child is younger then you will need to get consent from a person holding ‘parental responsibility’.

STEPS

Step 9

Data breaches

You need to have procedures in place to detect data breaches and in most cases, will need to report these to the ICO and the individuals affected. Failure to notify can result in a fine in addition to the fine for the breach itself.

As a data controller, you will need to approve the third-party systems you use for storing personal data and make sure they have adequate controls and procedures in place for detecting and reporting data breaches regarding your personal data.

Step 10

Data Protection by Design and Data Protection Impact Assessments

Data you generally hold is of a significant interest to fraudsters and much of this personal data is shared via email.

There is a legal requirement to carry out a privacy impact assessment where there is processing of highly sensitive data and if you’re passing this information via email you’re going to have to address this.

Stop sending information via email and implement a secure portal to communicate securely with your clients and share documents and other key financial information.

STEPS

Data Protection Officer

You need to appoint someone in your organisation, or an external adviser, who has the knowledge, support and authority to take responsibility for your data protection compliance.

Step 11

Please regularly review your Data Protection framework

And think very seriously before you email.

Conclusions

Email is probably your greatest risk followed by inadequate protection of personal data on some back-office systems who may not be using up to date encryption, check with your supplier and implement secure messaging as a minimum requirement for GDPR.

Other links

https://www.dacbeachcroft.com/media/889653/european-data-protection-for-fs-interactive.pdf

https://www.pwc.co.uk/banking-capital-markets/assets/documents/customer-centric-banking-aligning-gdpr-psd-ii.pdf

https://www.adviser-hub.co.uk/Articles/entryid/204/better-business-are-financial-advisers-ready-for-gdpr

https://illuminate.nucleusfinancial.com/blog/gdpr-mean-financial-advisers/

https://www.raconteur.net/finance/how-eu-regulations-will-affect-uk-financial-firms

THANK YOU