In our previous Newsletter (see here) we wrote of the significant challenges posed by the General Data Protection Regulation for all firms holding personal data, not just financial services firms.
In this issue of our Newsletter we have chosen (unusually) to focus solely on GDPR, given its applicability to all firms. Whilst we don’t hold ourselves out as GDPR experts, Fulcrum Compliance’s own implementation of the regulations has made clear some of the issues which clients – and firm’s generally – face.
Coming into force at the end of May, GDPR requires firms to take the widest possible view of the data they hold – why they hold it, where they hold it and how they hold it.
Our advice to clients so far has centered on the following issues:
- All firms will be Data Controllers, both of employee, client and prospect data.
- As such, Controllers are accountable for adherence to 6 Principles of data protection set out in GDPR and must be able to demonstrate compliance.
- Personal data held must be treated in the same way as any other confidential information held by the firm – it must be held securely in resilient systems.
- In order to do that, firms must know what they are holding, where and how they are holding it as well as why they are holding it – i.e. that they have a “lawful basis” for holding it.
- This applies equally to those processing data on your behalf – mail houses, market researchers, etc.
Clients are unlikely to be required to appoint a Data Protection Officer. These are only required when processing sensitive data or processing on a large scale.
- Firms are only required to report breaches to the ICO within 72 hours when that breach might result in harm to the rights and freedoms of the individual about whom the breach has occurred. Such reporting is unlikely to be necessary but firms should consider whether there is a risk of identity theft as a result of the breach.
- The thorniest issues centre around marketing. Current draft EU regulations may allow marketing approaches to current and past clients (but not necessarily to prospective clients) but these will in any event not necessarily have been enacted when GDPR comes into force.
- Similarly, existing ICO Guidance on the “soft-opt in” to marketing approaches appears not to cover prospective clients.
- Consent to marketing approaches must be consistent with the new requirements for the granting of consent i.e. it must be affirmative, opted-in, informed, freely given.
- To this end firms need to consider what data they hold on CRM systems, and how much is actually required for the delivery of the service.
- Firms should not rely on the granting of consent by their clients as the lawful basis for holding their data. Consent can be withdrawn. Firms’ contractual terms should make clear that data is held (perhaps) for the purposes of delivering the contracted service and / or for regulatory purposes.
- Firms need to encompass all of the above, specifying the location of data and how it is secured, in a Data Protection Policy.
Our Next Steps
Fulcrum Compliance will itself be reviewing its own processes to ensure that our its processes are in order. Our new Data Protection Policy will be accessible from our web site. Our Terms of Business will be updated to reflect our processes.
As regards this Newsletter, we will be reviewing our mail list to ensure that recipients are either past or current clients or have already given explicit consent to receive via our web site. We will be writing to everyone else to invite them to opt-in.