GDPR, in the form of the Data Protection Act 2018, has been in place in the UK since 25 May 2018. With the one year deadline now passed, ATEB Consulting’s Steve Bailey takes a look at how well it has been implemented in advice firms and 7 issues the compliance firm is still encountering.
GDPR – a quick refresher
Businesses that obtain or process personal data about a living individual must establish a ‘lawful basis’ for doing so.
There are six possible lawful bases, but the two that are most likely to be applicable in financial services are ‘Consent’ and ‘Contract’.
Consent
Consent was almost universally the basis that adviser firms used prior to DPA 2018 but it is generally not now considered to be the most appropriate for our industry for the following reasons.
- Consent must be clearly ‘freely given’;
- If you cannot offer a genuine choice over how you use their data, consent is not appropriate;
- If you would still process the personal data without consent, asking for consent is misleading and inherently unfair;
- If you make ‘consent’ a precondition of a service, consent is unlikely to be the most appropriate lawful basis.
The last point is relevant, as it is not possible for adviser firms to provide their services unless they can process personal data. In addition, consent must be renewed regularly (every two years or so is generally considered reasonable) and can be removed by the individual.
Issue number one:
Many firms have continued by default on a consent basis but do not necessarily appreciate all the implications above, especially the need for consent to be renewed.
Contract
We recommend the contract lawful basis as being the optimum basis for most firms. For this purpose, a contract with the individual exists if:
- you have a contract with the individual and you need to process their personal data to comply with your obligations under the contract;
- you haven’t yet got a contract with the individual, but they have asked you to do something as a first step and you need to process their personal data to do what they ask.
Whichever basis is used, the firm’s privacy notice (and consent if applicable) should be kept separate from any other agreement or authorisation that the firm presents to the client – e.g. the client agreement.
Issue number two:
Many firms have incorporated their Privacy Notice and/or Consent into their existing Terms of Business or Client Agreement. These should be kept separate.
Issue number three:
Many firms have created a separate document but have not deleted the DPA 1998 references in other documents (usually the ToB, Client Agreement or Fact Find).
Issue number four:
Marketing consent – many firms still have longstanding wording seeking permission for the firm or third party firms to send the client marketing material. The wording is normally still within the Terms of Business or Client Agreement and should not be. Most firms that request marketing consent never actually use it. If firms really do wish to use data for marketing purposes they need to research the matter in great detail as there are additional onerous rules around marketing consent under GDPR/DPA 2018 but also implications arising from the Privacy and Electronic Communications Regulations (PECR), not least that consent needs to be specific, detailed and granular – it is not sufficient to offer one tick box for the client to consent to any marketing, at any time, from anyone.
Issue number five:
Privacy notices should inform clients of their rights under the DPA 2018. One of these is the ‘Right to object to processing’. Where a firm is relying on consent or contract as lawful basis, the right to object only applies to processing for marketing purposes.
Passing data to third parties
Firms inevitably have to pass client data to third parties, for example providers or compliance consultants! The rules require that the third party is specified.
Issue number six:
We see firms providing a generic list of possible third parties such as ‘providers, compliance consultants, etc.’ This is not sufficient. Third parties must be specifically identified.
Issue number seven:
Finally, we regularly see cases where an existing client has not been provided with an up to date Privacy Notice although meetings have taken place and/or advice has been provided since 25 May 2018.
Our View
RDR – several years on. MiFIDII – 18 months on. GDPR – one year on. What do these have in common?
The fact that many firms have not fully or correctly incorporated the requirements into their processes despite those requirements having been in place for some time.
Getting GDPR requirements wrong can have significant repercussions. One year on, it would be prudent to review your processes to ensure they fully comply.
