The General Data Protection Regulation will come into effect on 25th May 2018, bringing protection of personal data into the modern digital world with the accountability squarely on the business.
Yesterday (7 August), the Department for Digital, Culture, Media and Sport (DCMS) announced the bill will be presented to parliament after summer recess.
In particular, companies will need to review their current data protection compliance and make sure they have the right policies and procedures to detect, report and investigate a personal data breach.
For financial adviser firms this translates to controlling and safeguarding client data – where and how they acquired it, how and who it is shared with and how and where the data is stored.
The Forum of Private Business, a lobby group for business, is calling on the government to form a working group to consider the impact on small businesses of the proposed GDPR legislation.
Many financial advice firms are small and medium enterprises.
Ian Cass, chief executive of the Forum, said: “Many people will welcome tighter controls on who owns their personal data an how it is used, and as such the intent of the GDPR legislation is fine, but it appears that no one in power has thought about the small and micro businesses that make up 98 per cent of the UK’s 5.2 million businesses, account for more than half of the country’s employment and are the economic engine of the high street."
"There is the potential for this legislation to impact the way many of these businesses operate and market themselves, and even force them to close down,” said Mr Cass.
The Forum has four main concerns regarding the new bill.
Firstly, that only larger businesses, with in house compliance guidance or the budget to employ outside consultants, have paid any attention to what the implications of the legislation are.
The Forum is also concerned there are unintended consequences that could impact small businesses, and that these issues have been given inadequate attention.
Another issue is the extent to which electronic communication is used with existing and prospective customers by small businesses.
Finally the Forum wants the issue of the potential increase in costs that could hit small firms, due to potential need to employ or train staff to deal with compliance on data management or buy online data management tools.
However Susan Hill, a chartered financial planner at Susan Hill Financial Planning, is skeptical about the Forum's concerns.
“I do not think it will increase our burden. I run a small business, and we have adapted our system [to comply with the new legislation].
"We have a secure communication with clients, with everything stored in a safe place. I think [the GDPR] is a good measure,” she said.
Ms Hill considers the impact of the GDPR depends on how people run their businesses.
“We have a paperless office, with a high level of security,” she said.
Andy Crow, a certified GDPR practitioner, and director and co-founder of Chorus Business Advisers, said businesses should already be aware of the implications of the new law.
“Whilst this is a new announcement, the UK bill is an extension of the European GDPR law [which] has been in the public domain since May 2016.
"The law says that companies should have the appropriate organisational and technical measures to comply with the law.
"In reality, if you are a small business you are not expected to have the same expensive levels of security and procedures of a FTSE 100 company,” he said.
“Small businesses should not panic but should take proper advice."
