The General Data Protection Regulation – or GDPR as it is more familiarly referred to, took effect in May 2018. Two years on, Steve Bailey undertakes a quick review.
The intention of the legislation was to protect data and privacy in the European Union and the European Economic Area. It also addressed the transfer of personal data outside the EU and EEA areas. As the UK was, at the time, a member of the EU, we were obliged to give effect to the regulation. This was done in the form of the Data Protection Act 2018 (DPA 2018).
What changed?
The DPA 2018 replaced the Data Protection Act 1998. The new rules largely mirror the DPA 1998 but go further in some important respects, primarily around consent, marketing restrictions and penalties for failing to follow the rules.
- Obtaining valid consent is more stringent;
- There are additional restrictions on marketing activities;
- There are significant penalties for data protection breaches. There are two tiers of penalty – standard and higher. Standard fines apply to less serious breaches such as administrative errors and can be up to €10m (or equivalent in sterling) or 2% of a firm’s annual worldwide turnover, whichever is higher. Higher fines apply to breaches of data protection principles or in relation to transfers of data to third countries (i.e. outside the EU/EEA) and can be up to €20m (or equivalent in sterling) or 4% of a firm’s annual worldwide turnover, whichever is higher.
ICO
The Information Commissioner’s Office (ICO) continues to be the organisation responsible for oversight and enforcement of the DPA 2018.
Any organisation or individual that processes personal information needs to register with the ICO (unless an exemption applies).
‘Personal information’ means any detail about a LIVING* individual that can be used on its own, or with other data, to identify them. ‘Processing’ includes any of the following:
- obtaining it;
- recording it;
- storing it;
- updating it; and
- sharing it.
The ICO website provides a wealth of guidance with examples and should be the first port of call in the event of a query.
* That data protection only applies to living individuals is the general position. There are some special post mortem protections that apply to the recently deceased, for example in relation to obtaining health records, but ALL protections cease two years after the date of death.
Lawful basis
A fundamental element of the rules is that there must be a lawful basis for processing personal data. It is likely that, prior to the DPA 2018, most financial firms relied on ‘Consent’ as the lawful basis. However, there are actually six lawful bases for processing data. Consent continues to be one of those, but another, ‘Contract’, is widely considered to be a more appropriate lawful basis for many adviser firms for a variety of reasons that we will not go into here. A couple of the other lawful bases might be valid in certain circumstances but should not be used as a matter of course, for example, ‘Legitimate interests’, and firms’ privacy notices should be absolutely clear about which lawful basis is being relied upon.
The Contract basis applies where processing of personal data is required in order to supply goods or services the individual has requested, or to fulfil obligations under an employment contract. This also includes steps taken at the request of an individual before entering into a contract. No client signature is required.
Firms that choose to rely on Consent must ensure that it is ‘valid’. The conditions required to obtain valid consent are more onerous post GDPR. Full details can be found on the ICO website but include that consent must:
- be clear about what is being consented to;
- be freely given;
- not be a pre-condition of providing a service;
- be an affirmative opt-in choice;
- be separate from any other client authorisation, e.g. a client agreement;
- be refreshed if any aspect for which consent is given changes.
Consent can be withdrawn at any time. And it must be ‘refreshed’ regularly. The DPA 2018 is silent on how frequently consent should be refreshed, but the ICO recommends every two years unless there is a robust reason for a less frequent refresh.
That means all clients as at May 2018 whose GDPR consent was obtained at that time, will require that consent to be refreshed soon.
It also means that firms must keep good records covering:
- Who consented;
- When they consented;
- What they were told at the time;
- How they consented, and to what;
- Whether they have withdrawn consent: and if so, when.
Refer to the ICO website for further detail.
Special category data
This refers to information that requires additional protection and which, as a result, are subject to additional safeguards. Such information relates to any of the following:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership;
- genetic data;
- biometric data;
- health;
- sex life; and
- sexual orientation.
The rules around processing of any of these data are quite involved but the key point for adviser firms is that consent is always required where such information is being processed. Health information is the one that is most likely to apply in the advice process, but it is possible to use consent for special category data alongside the contract basis only on those occasions where consent is required. For example, if the advice being provided relates solely to say, an ISA investment, it is unlikely that health information will be required.
Note that separate rules apply to personal data about criminal allegations, proceedings or convictions.
Issues with DPA 2018
Below are some of the issues we have come across in the past two years.
(cont over)
Page: 1 2
