The Model Office Blog

The GDPR Overview, Disclaimers and Privacy Notices

[fa icon="calendar"] Feb 26, 2018 3:18:54 PM / by Chris Davies

Introduction: We publish our GDPR Unwrapped guide shortly, one key area covered is the GDPR adds new layers of data protection onto the existing Data Protection Act (DPA). One of the key areas that need focus are the client documents your firm has in place with your clients. These could be:

  1. Client Service Agreement
  2. Financial and Investment Planning Brochure
  3. Terms of Business

The website disclaimers will also require a review. This includes:

  1. Your Terms and Conditions
  2. Your Data Privacy Policy and Notice

The ICO’s Data Privacy Policy: The first principle of data protection is that personal data must be processed fairly and lawfully. Thus you must be clear on:

  • Who the data controller is
  • Purpose(s) for which the information is processed
  • Any further information necessary in specific circumstances to enable fair processing

The main elements of fairness include:

  • Using the information in a way that people would reasonably respect.
  • Thinking about the impact of processing
  • Transparency and ensuring that people know how their information will be used.

Thus to cover all this you now need to consider:

  • What information is being collected?
  • Who is collecting it?
  • How is it collected?
  • Why is it collected?
  • How will it be used?
  • will it be shared with?
  • What will be the effect of this on the individuals concerned?
  • Is the intended use likely to cause individuals to object or complain?

Strategy: You need to start by ensuring the right people are in the right roles with the right skills:

Essentially, the GDPR applies to ‘controllers’ and ‘processors’ that are handling the individual’s personal data. Article 4 of this regulation clarifies the different roles:

Controller: “the natural or legal person, public authority, agency or which, alone or jointly with others, determines the purposes and means of the processing of personal data”. i.e. specifies how and why data is processed

Processor: “a natural or legal person, public authority, agency or which processes personal data on behalf of the controller”. i.e. conducts data processing

Article 5 goes on to stipulate: The controller shall be responsible for, and be able to demonstrate compliance with the Principles”. So it’s an important job!

Data Protection Officer: If you have less than 250 employees then you will need a DPO designate who can also be the data controller within the business.

Data Audit: Model Office's (MO's) preferred approach would be for you to start assessing your data collection and usage behaviour with the GDPR in mind and employ an Information Asset Register (IAR) which will ensure a comprehensive audit is undertaken at outset before re-writing any privacy statements or disclaimers. 

Privacy Impact Assessment: The problem we have is how is data collected. This can be directly or indirectly and, in particular, with tracking people online, combining other data sets or using algorithms to analyse data.

A risk register is a good place to start, as the privacy risks need to be mapped all client data held inside and outside the business. This should cover risks such as personal information held being:

  • excessive or irrelevant;
  • inaccurate, insufficient or out of date;
  • kept for too long;
  • disclosed to those who do not want to have it;
  • used in ways that are unacceptable to or unexpected by the person it is about; or
  • not kept securely.

Similar to a Risk register, the PIA should incorporate the following steps:

  • Describe the information flows
  • Identify the privacy and related risks
  • Identify and evaluate privacy solutions
  • Sign off and record PIA outcomes
  • Integrate the outcomes into the project plan
  • Consult with internal and external stakeholders as needed throughout the process

 Individual rights: This includes how you would delete personal data or provide data electronically. The GDPR includes the following rights:

  • The right to be informed
  • Right to access
  • Right to rectification
  • Right to erasure
  • Right to restricting processing
  • Right to data portability (This is new)
  • Right to object
  • Right not to be subject to automated decision-making including profiling

Subject access requests: This largely remains the same but with a few changes:

  • In most cases, you cannot charge for complying with a request
  • You will have a month to comply (previously 40 days)
  • You can refuse or charge that are unfounded or excessive
  • If you do refuse a request, you must provide clear reasoning as to why to the individual who has made the request and that they may complain to the supervisory authority and to judicial remedy. This again must be within one month 

Basis for processing personal data: This differs from the DPA in that some individual’s rights are modified depending on your lawful basis for processing their personal data. So, identify the legal basis you process data and document it, plus update your privacy statement accordingly.

These are:

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

In a highly regulated environment, you could choose to use legitimate interests with your clients as they have already opted in so you have their consent (hard or soft) and thus you are required to hold their data based on The FCA record keeping and retention period rules. In our though your agreements will need to offer a hard opt out at all times even if you choose legitimate interests to comply with the right to withdrawal principle.

Disclaimer and Privacy notice content: This needs to be transparent, clear, unambiguous and covers:

  • Your business’s contact details
  • What data is held – where sourced
  • Reasons for collecting and using personal data
  • Legal basis for processing personal data
  • Any 3rd parties that you work with
  • Privacy Policy and notice
  • Details of your retention periods
  • Your customer's rights (including right to withdraw consent and right to lodge a complaint)

Consent: The GDPR states that consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in, i.e. it cannot be from a pre-ticked box, inferred, or inactivity. It must be separate from other terms and conditions and you must have a simple way for people to withdraw consent.

If data is processed for several purposes then consent must be obtained for each of them. You should request only the relevant data for the purpose it is used.

You also need to ensure any third parties involved (e.g. outsourced partners) in gaining client consent are also disclosed.

Children: Article 8 of the GDPR makes specifications for the provision of protection of information as relating to children. The GDPR sets the age of 16 as when a child can provide their own consent to of their data. If younger, then you will require permission from the person holding ‘parental responsibility’.

Data Breaches: You now need to ensure you report any breach to client personal data within 72 hours of detection. You will need a process in place to ensure the data controller and processors notify each other and how the report is made to the ICO and also how the breach is dealt with. Ideally, you will need:

  • A response procedure
  • Definition of responsibilities
  • Verification and initial assessment process
  • Identification process of who needs to be notified and how the incident is communicated
  • Maintenance business continuity and process to minimise the impact
  • Assess the cause and implement measures to prevent future incidents
  • Review the incident response and update policies where required

International: Relevant if you operate from more than one EU member state but GDPR does apply to any internationally based organisation that processes data for any individual who resides within the EU. 

Code of conduct: Finally, but not least, we would recommend you structure a code of conduct within the business to cover:

  1. Fair & transparent processing
  2. Collection of personal data
  3. Information for individuals & their rights
  4. Information for & protection of children
  5. Security measures
  6. Breach notification
  7. Data transfers outside the EU
  8. Dispute resolution

Summary: Your firm needs to build on the good work under the DPA and structure its data processing and privacy and disclaimers to ensure full compliance with the GDPR prior to 25th May 2018.

Please click the below icon link to MO's platform and learn more about MO today..

New Call-to-action


Topics: Financial regulation, Financial business development, fintech, client engagement, regtech, Constructive compliance, Risk management, practice management, FCA, advice, HMT, suitability, FAWG, FAMR, Fitbit, MiFIDII, Data, GDPR, Chatbot

Chris Davies

Written by Chris Davies