Penalties of up to €20m or 4% of total worldwide annual turnover of the preceding financial year.
This may get the attention of the Board – now what does it mean for training and competence professionals?
The aim of GDPR is clear: Personal data must be processed according to the six data protection principles –
- Processed lawfully, fairly and transparently.
- Collected only for specific legitimate purposes.
- Adequate, relevant and limited to what is necessary.
- Must be accurate and kept up to date.
- Stored only as long as is necessary.
- Ensure appropriate security, integrity and confidentiality.
Advisers facing clients therefore need to consider the way they frame the fact-finding process
Larger firms are appointing a data protection officer and carrying out formal data protection impact assessments (DPIAs) others are taking a less prescriptive approach by attempting to answer four questions:
What personal information do we hold?
Why do we have it?
Who has access to it?
How long will we be keeping it?
Training – the rules require ‘the appropriate data protection training to personnel having permanent or regular access to personal data’. EU regulators looking to enforce the rules will assess training as part of the company’s overall commitment to data protection.
The starting point will be to understand the need to identify and document the lawful basis for any processing of personal data. The lawful bases are:
- Direct consent from the individual;
- The necessity to perform a contract;
- Protecting the vital interests of the individual;
- The legal obligations of the organisation;
- Necessity for the public interest; and
- The legitimate interests of the organisation.
Advisers facing clients therefore need to consider the way they frame the fact-finding process. It is likely that in most cases it will initially be the first or second – the fourth may kick in once advice has been provided as records have to be kept to meet regulatory obligations such as complaint handling. As part of the appointment making process or in the initial meeting time should be taken to explain what information will be requested and why – remember that pre-ticked boxes accompanying generalised statements simply will not do. An example of the second base would be someone asking for an insurance quote; they can be asked sufficient information to generate that quote.
They will also need to consider who will have access and explain this to prospective clients. Most providers will be UK based or at least in the EU. Firms need to be confident that, when sending data to other firms (especially in other countries), they have appropriate standards in place. The transfer of personal data outside the EU is only allowed:
- Where the EU has designated a country as providing an adequate level of data protection;
- Through model contracts or binding corporate rules; or
- By complying with an approved certification mechanism, e.g. EU-US Privacy Shield.
Would this be picked up in the product research process – does the screening identify firms in other jurisdictions and carry out sufficient due diligence?
Obtaining consent is typically the route where data is to be used for marketing purposes though I have read articles (written by cold calling organisations) arguing that they can use data to meet their legitimate interests. I think it will be clearer if firms are able to demonstrate that they have obtained explicit consent and that it was freely given. Staff need to be aware that information gathered to generate a quote cannot be added to a mailing list for future marketing without consent for that use being obtained. Staff also need to be aware of the right individuals have to withdraw consent at any time.
How do staff react when someone wishes to exercise their right to be forgotten or to correct data held about them? Social media platforms can expect to be bombarded with requests for embarrassing photo’s taken while drunk to be removed but what about firms in the financial services sector who have information about an individual’s physical or mental health as well as ‘normal’ data such as name and contact details? Advisers should be aware a right to be forgotten contrasts with a whole range of financial services specific rules, including MiFID II, which requires them to keep records. However, a request to be forgotten has to be considered and reacted to appropriately; the adviser may, for example, have to retain information pertinent to a past transaction but cannot email that person to market a new service.
Identifying a breach – the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data likely to result in a high risk to the rights and freedoms of individuals. This could be violation of dignity as well as physical, reputational, or monetary injury. Staff need to understand that the company only has 72 hours in which to notify the Information Commissioner’s Office of a breach. Additionally, without undue delay the clients affected by such a breach have to be notified. Working through specific, firm relevant examples would form part of an effective training programme so that the concept of high risk is clear.
A request to be forgotten or allegations of a breach are likely to be preceded by a Subject Access Request (SAR). The firm and its staff need to be able to furnish information to individuals who request it and do so in a secure and clear format within 30 days (instead of 40 under previous regulations). Helping staff to understand and communicate when a fee may be incurred will be useful. Reasonable fees can only be sought where requests are manifestly unfounded or excessive. The other use you may experience with a SAR is where a client wants to save the time of completing a new fact find by providing a new adviser with a copy of the information they have already provided to another firm. Clearly you could find yourself on either side of this new right to portability of information.
It is clear that GDPR anticipates a lot more detail and engagement between advisers and clients.