Regulation: GDPR – what it is and how to prepare for it
GDPR will bring in greater responsibility for firms around personal data and tougher fines. Fiona Bond looks at what it means and how financial advice firms can prepare for it.
The demands placed upon financial advice firms regarding their use of personal data are set to increase next May with the introduction of the General Data Protection Regulation (GDPR).
Designed to improve the level of privacy protection for consumers, the GDPR will change the way businesses can collect, use and transfer personal data when it comes into effect on 25 May 2018. Financial advice firms will have to demonstrate greater responsibility over how they handle client data and failure to comply with the new regulation carries heavy penalties.
Keith Richards, chief executive, Personal Finance Society, says: “The introduction of the GDPR represents the most important change in data privacy regulation in 20 years. The GDPR is a complex piece of legislation and it is important for financial advice firms to understand the implications for their business. GDPR considerably increases firms’ obligations and responsibilities and so it is important for firms to start preparing now.”
What does the GDPR mean for businesses?
Similar to the existing Data Protection Act (DPA), the GDPR applies to personal data but is more detailed and far-reaching to capture the developments in technology.
The Information Commissioner’s Office (ICO) explains: “Having clear laws with safeguards in place is more important than ever given the growing digital economy. You can assume that if you hold information that falls within the scope of the DPA, it will also fall within the scope of the GDPR.”
However, under the new rules, the amount of data deemed as sensitive will broaden and the level of control given to the consumer will increase significantly. The rules for businesses about obtaining clear, specific consent to use data will be far more demanding, and individuals will have the right to view their data and move that data away from a particular provider/platform if they choose to.
Compliance with GDPR will mean that many firms will need to alter their data security practices to some extent. Importantly, they must be able to demonstrate how they have complied with the rules and will need to ensure they have kept proof that consent has been freely given.
In addition, the rapid growth of the Internet has resulted in more individuals becoming vulnerable to cyber attacks and the GDPR adopts specific breach notification guidelines.
Julian Harris, owner of network Julian Harris Financial Consultants, says: “Firms need to review their procedures around the obligation to notify certain breaches to the relevant supervisory authority within 72 hours of the organisation becoming aware of them. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, firms must notify those concerned directly.”
Regardless of the size of the firm, advisers need to be cognisant of the threat; under the new rules a data breach will not only damage a firm’s reputation but a hefty fine. Firms should gain an understanding of the kind of threats they face and be aware of which team members have access to personal data.
Richards says: “While some firms will be frustrated with heightening compliance costs, there are significant benefits for both firms and consumers. Data collection and exchange will underpin the growth of digitalisation in financial services and protection of this data is therefore vital as we build public confidence in the digital economy.”
How can firms prepare for GDPR?
Richards says: “An important first step for firms will be to undertake some form of data mapping exercise, gaining an understanding of where their data repositories are, what data they hold and how it is being used. This process can be supported by specialists who help companies audit data, and will assist firms in working out the compliance requirements for personal data they manage.
“For firms, a data audit can identify the data that is useful and how best to leverage its value. Consumers will have greater control over their data, agreeing in advance for it to be used and having the ability to withdraw its use,” he adds.
Recognising that GDPR “will affect any firm carrying or using data for clients or customers, so this will affect a good number of our members and firms”, the CISI said that it was currently delivering “practical guidance on the Data Protection Act for CISI members through our online learning platform ‘Professional Refresher’ and we will be including an update on the new GDPR regulations within this e-learning module in the summer of 2017”.
Data solutions specialist Iron Mountain recommends firms document the personal data they hold – where it came from and with whom it’s shared. They advise looking at a particular area or department of the business and treat it as a test case for improving internal processes; examining how and where the information collected is used. In addition, firms should know individuals’ rights.
The London-based company explains: “Your procedures should address all the rights given to individuals. These include: having inaccuracies corrected; erasing information and preventing direct marketing without consent. Make sure you know who is making decisions about deletion and if your systems support this. Don’t forget to explore data portability and the formats you use to supply information.”
Larger firms that deal with a significant amount of consumer data, such as those handling workplace pensions or auto-enrolment, will be required to appoint a data protection officer. Furthermore, certain activities such as processing of sensitive data on a large scale will require a privacy impact assessment. However, smaller firms will not be placed under the same requirements.
The Federation of Small Businesses said it was “particularly pleased” that smaller businesses will not be obliged to appoint a Data Protection Officer and undertake a costly Data Protection Impact Assessment”. It welcomed also “the decision that will allow smaller businesses to charge a reasonable fee for data requests that may be unfounded or deemed as excessive”.
However, Harris warns that access requests require thought by all firms as charges can only be levied for manifestly unfounded, excessive or particularly repetitive requests and will need to include information about how personal data is processed in a way which is “concise, transparent, intelligible and easily accessible.”
With just 12 months to go until the new legislation comes into force, financial advice firms should be examining the impact of the new rules on their systems and processes, and ensure their business will be compliant.
Mike Cherry, National Chairman, Federation of Small Businesses, says: “The GDPR is complex and smaller firms will need bespoke support and guidance to minimise the burden as much as is practical. FSB is talking to the Government to raise our concerns and get the best outcome for small businesses.”
Fiona Bond is a freelance business writer