Preparing for GDPR
6 September 2017
GDPR will bring in greater responsibility for firms around personal data – and tougher fines for non-compliance. What is that going to mean for financial advice firms?
The demands placed upon financial advice firms regarding their use of personal data are set to increase in May 2018 with the introduction of the General Data Protection Regulation (GDPR).
Designed to improve the level of privacy protection for consumers, the GDPR will change the way businesses can collect, use and transfer personal data when it comes into effect on 25 May 2018. Financial advice firms will have to demonstrate greater responsibility over how they handle client data and failure to comply with the new regulation carries heavy penalties.
As an example of its potential impact, research from recruitment specialist Robert Half UK has revealed that two-thirds (66%) of CIOs will hire additional, permanent employees to cope with the introduction of the EU’s General Data Protection Regulation (GDPR) next year. A further 64% of CIOs will hire temporary or interim staff to ensure they have the highly-skilled talent in place to manage the change in data management and reporting.
Keith Richards, chief executive, Personal Finance Society, says: “The introduction of the GDPR represents the most important change in data privacy regulation in 20 years. The GDPR is a complex piece of legislation and it is important for financial advice firms to understand the implications for their business. GDPR considerably increases firms’ obligations and responsibilities and so it is important for firms to start preparing now.”
Similar to the existing Data Protection Act (DPA), the GDPR applies to personal data but is more detailed and far-reaching to capture the developments in technology.
The Information Commissioner’s Office (ICO) explains: “Having clear laws with safeguards in place is more important than ever given the growing digital economy. You can assume that if you hold information that falls within the scope of the DPA, it will also fall within the scope of the GDPR.”
However, under the new rules, the amount of data deemed as sensitive will broaden and the level of control given to the consumer will increase significantly. The rules for businesses about obtaining clear, specific consent to use data will be far more demanding, and individuals will have the right to view their data and move that data away from a particular provider/platform if they choose to.
Compliance with GDPR will mean that many firms will need to alter their data security practices to some extent. Importantly, they must be able to demonstrate how they have complied with the rules and will need to ensure they have kept proof that consent has been freely given.
In addition, the rapid growth of the Internet has resulted in more individuals becoming vulnerable to cyber attacks and the GDPR adopts specific breach notification guidelines.
Firms will need to review their procedures around the obligation to notify certain breaches to the relevant supervisory authority within 72 hours of the organisation becoming aware of them. Also, where a breach is likely to result in a high risk to the rights and freedoms of individuals, firms must notify those concerned directly.
Regardless of the size of the firm, adviser firms need to be cognisant of the threat; under the new rules a data breach will not only damage a firm’s reputation but incur a hefty fine. Firms should gain an understanding of the kind of threats they face and be aware of which team members have access to personal data.
Richards adds: “While some firms will be frustrated with heightening compliance costs, there are significant benefits for both firms and consumers. Data collection and exchange will underpin the growth of digitalisation in financial services and protection of this data is therefore vital as we build public confidence in the digital economy.”
Preparing for GDPR
Richards says that in preparing for GDPR an important first step for firms will be to undertake some form of data mapping exercise, gaining an understanding of where their data repositories are, what data they hold and how it is being used. This process can be supported by specialists who help companies audit data, and will assist firms in working out the compliance requirements for personal data they manage.
“For firms, a data audit can identify the data that is useful and how best to leverage its value. Consumers will have greater control over their data, agreeing in advance for it to be used and having the ability to withdraw its use,” he says.
Recognising that GDPR “will affect any firm carrying or using data for clients or customers, so this will affect a good number of our members and firms”, the CISI said that it was currently delivering “practical guidance on the Data Protection Act for CISI members through our online learning platform Professional Refresher”.
Data solutions specialist Iron Mountain recommends firms document the personal data they hold – where it came from and with whom it’s shared. They advise looking at a particular area or department of the business and treat it as a test case for improving internal processes; examining how and where the information collected is used. In addition, firms should know individuals’ rights.
The London-based company explains: “Your procedures should address all the rights given to individuals. These include: having inaccuracies corrected; erasing information and preventing direct marketing without consent. Make sure you know who is making decisions about deletion and if your systems support this. Don’t forget to explore data portability and the formats you use to supply information.”
Larger firms that deal with a significant amount of consumer data, such as those handling workplace pensions or auto-enrolment, will be required to appoint a data protection officer. Furthermore, certain activities such as processing of sensitive data on a large scale will require a privacy impact assessment. However, smaller firms will not be placed under the same requirements.
The Federation of Small Businesses said it was “particularly pleased” that smaller businesses will not be obliged to appoint a Data Protection Officer and undertake a costly Data Protection Impact Assessment”. It welcomed also “the decision that will allow smaller businesses to charge a reasonable fee for data requests that may be unfounded or deemed as excessive”.
However, charges can only be levied for manifestly unfounded, excessive or particularly repetitive requests and will need to include information about how personal data is processed in a way which is concise, transparent, intelligible and easily accessible.
With just 12 months to go until the new legislation comes into force, financial advice firms should be examining the impact of the new rules on their systems and processes, and ensure their business will be compliant.
Martin Tilley, director of Technical Services, Dentons Pension Management, describes how a non-advised action by a husband cost his...
Steve Bailey, director of compliance consultancy ATEB Consulting, is not surprised by the recent figures published by the Regulator...
Paraplanners wanting to register their interest for the first tranche of applications for the Paraplanner Standard should get their...