The new EU General Data Protection Regulation (GDPR) in Europe, adopted in 2016, will be directly applicable starting on May 25, 2018. GDPR comes with significant changes compared to the Data Protection Directive 95/46/EC involving operational changes in organisations.
As a result, organisations need to be extremely aware of these changes as they can face very strict fines in the cases of non-compliance.
The most important change in data privacy regulation in 20 years, GDPR is a regulation issued by the European Commission, the European Parliament and the Council of Ministers of the European Union with the goal of improving data protection for individuals within the European Union.
The objective is to give citizens more control over how their personal data is used as well as provide firms with a clear legal and standardised structure within which they can operate.
Who is affected?
- Any firm who possesses or processes data pertaining to an identifiable person
- Any firm who contacts those individuals via email, phone, SMS or mail
- Any firm who tracks their engagement via e-shots, cookies, or landing pages for the purpose of profiling an individual
Essentially, the GDPR applies to ‘controllers’ and ‘processors’ that are handling the individual’s personal data. Article 4 of this regulation clarifies the different roles:
Controller: “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”. i.e. specifies how and why data is processed
Processor: “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”. i.e. conducts data processing
Article 5 goes on to stipulate: ““The controller shall be responsible for, and be able to demonstrate compliance with the Principles”. So it’s an important job!
Consequences of non-compliance: We know this won’t apply to your good selves, but this is pretty officious with fines up to €20M or 4% of total worldwide turnover of the preceding financial year, and wait for it….whichever is higher..
The 6 tests for lawful processing of data: Article 6 of the GDPR details for the lawful processing of personal data.
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
It is likely that in a highly regulated environment that the 'test' you need to apply to your client's data is legitimate interests. This means you do not necessarily require consent, but you will need (in our opinion) an opt out if you continue to offer separate marketing services to these clients. This is good news as it means you hold the right to retain the data based on the fact it is essentially in the clients best interests to do so. For example a client's data could have a bearing on the suitability of your advice, risk profiling and capacity for loss being a clear illustration for this test. Put simply, legitimate interest is the option that doesn't involve people saying no.
Appropriateness of product features and benefits to match client needs could also mean you need to ensure that you have the client's legitimate interests at heart when it comes to holding their data and marketing products to them to meet their needs.
N.B. Legitimate Interest also means you will need to assess your client's personal data, contract wording and agreements to ensure this test applies.
Marketing and ePrivacy regulation: It is worth noting that the GDPR only partially covers marketing with the Private and Electronic Communications Regulations (PECR) which is currently being re-written and focuses on electronic communications, specifically:
- Marketing calls, emails, texts and faxes
- Cookies (plus similar)
- Security of communication services
- Privacy around traffic and location data, itemised billing, line ID and directory listings
The new version of the PECR moves every method of e-communication to consent. We suspect this could be the end of many internet cookie based 'pop-up' marketing.
So to bring this into our world and make sense of how to be GDPR ready and apply it to your firm, our #RegTech platform Model Office-MO tests for 7 principles:
MO’s #RegTech 9 GDPR principles:
- Data Lawfulness, Fairness & transparency: Open and Honest collection methodology with a clear and comprehensive website disclaimer, care around children under 16 and gain parental responsibility
- Consent: The right to opt in/out, your clients rights to be forgotten, their data portability and erasure
- Legitimate Interests: Likely to be most appropriate where you use client’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing
- Purpose limitation: Attain client informed consent: Use data and time frame as agreed by your clients
- Data minimisation: Gather client data that is needed only
- Accuracy: Cleanse client data to ensure its up-to-date
- Storage limitation: Your data retention policy and your criteria for deletion
- Integrity & confidentiality: Cyber-crime strategy, loss and unauthorised usage protection
- Accountability: Who, in or outside the business, should be responsible for monitoring the data and ensuring GDPR/PECR compliance and assessment of existing data, contracts and agreements
So what’s next? Well, certainly you’ll want to give MO's #RegTech platform a go and then assess how your firm is impacted, then identify and assess your current data, its flow through your investment systems (Wrappers/platforms/centralised investment propositions) and practice management technologies. You can also sign up with the innovative crew at Moneyinfo who are running a GDPR roadshow in 2018. Plus we will run a suite of GDPR #RegTech webinars in January/February 2018.
By doing this, you can understand if your firm has the required tools to protect private data, or it will shed insight into the tools you may need to support your organisation in achieving GDPR compliance.
Conducting a MO audit and investing in solutions like data loss prevention/cyber protection (a blog for another day) can help get you to compliance faster. Treat compliance with GDPR as a project and (I hate to say it) hire a lawyer to ensure you adhere to all guidelines.
Model Office's (MO's) Your Systems key covers all the GDPR details you need to ensure you have a digital compliance and business audit review plus strategies and guidance on what to do next.
Please click the below icon link to MO's platform and learn more about MO today..