GDPR – two years on
24 May 2020
The General Data Protection Regulation – or GDPR as it is more familiarly referred to, took effect in May 2018. Two years on, Steve Bailey undertakes a quick review.
The intention of the legislation was to protect data and privacy in the European Union and the European Economic Area. It also addressed the transfer of personal data outside the EU and EEA areas. As the UK was, at the time, a member of the EU, we were obliged to give effect to the regulation. This was done in the form of the Data Protection Act 2018 (DPA 2018).
The DPA 2018 replaced the Data Protection Act 1998. The new rules largely mirror the DPA 1998 but go further in some important respects, primarily around consent, marketing restrictions and penalties for failing to follow the rules.
The Information Commissioner’s Office (ICO) continues to be the organisation responsible for oversight and enforcement of the DPA 2018.
Any organisation or individual that processes personal information needs to register with the ICO (unless an exemption applies).
‘Personal information’ means any detail about a LIVING* individual that can be used on its own, or with other data, to identify them. ‘Processing’ includes any of the following:
The ICO website provides a wealth of guidance with examples and should be the first port of call in the event of a query.
* That data protection only applies to living individuals is the general position. There are some special post mortem protections that apply to the recently deceased, for example in relation to obtaining health records, but ALL protections cease two years after the date of death.
A fundamental element of the rules is that there must be a lawful basis for processing personal data. It is likely that, prior to the DPA 2018, most financial firms relied on ‘Consent’ as the lawful basis. However, there are actually six lawful bases for processing data. Consent continues to be one of those, but another, ‘Contract’, is widely considered to be a more appropriate lawful basis for many adviser firms for a variety of reasons that we will not go into here. A couple of the other lawful bases might be valid in certain circumstances but should not be used as a matter of course, for example, ‘Legitimate interests’, and firms’ privacy notices should be absolutely clear about which lawful basis is being relied upon.
The Contract basis applies where processing of personal data is required in order to supply goods or services the individual has requested, or to fulfil obligations under an employment contract. This also includes steps taken at the request of an individual before entering into a contract. No client signature is required.
Firms that choose to rely on Consent must ensure that it is ‘valid’. The conditions required to obtain valid consent are more onerous post GDPR. Full details can be found on the ICO website but include that consent must:
Consent can be withdrawn at any time. And it must be ‘refreshed’ regularly. The DPA 2018 is silent on how frequently consent should be refreshed, but the ICO recommends every two years unless there is a robust reason for a less frequent refresh.
That means all clients as at May 2018 whose GDPR consent was obtained at that time, will require that consent to be refreshed soon.
It also means that firms must keep good records covering:
Refer to the ICO website for further detail.
Special category data
This refers to information that requires additional protection and which, as a result, are subject to additional safeguards. Such information relates to any of the following:
The rules around processing of any of these data are quite involved but the key point for adviser firms is that consent is always required where such information is being processed. Health information is the one that is most likely to apply in the advice process, but it is possible to use consent for special category data alongside the contract basis only on those occasions where consent is required. For example, if the advice being provided relates solely to say, an ISA investment, it is unlikely that health information will be required.
Note that separate rules apply to personal data about criminal allegations, proceedings or convictions.
Issues with DPA 2018
Below are some of the issues we have come across in the past two years.
Origo is to launch Unipass Letter of Authority (ULoA) at the end of November, a service aimed at simplifying...
Lee Old, director, Antony George Recruitment, provides some tips for tackling your annual review meeting. The answer to this question...
Outsourced Paraplanner operation Plus Group is opening up its internal directory of provider details for paraplanners, administrators and financial...