The most important change in data privacy regulation in 20 years is on the horizon and we need to prepare for its introduction now.
The EU General Data Protection Regulation (GDPR) was approved and adopted by the EU Parliament in April 2016 and will take effect after a two-year transition period, meaning that by May 2018 it will be in full force. It will apply to firms who process data about individuals in the context of selling goods or services within the EU.
It will be unaffected by Brexit as the government has already confirmed that we will be implementing the regulation in the UK. A lot of the GDPR was drafted in the UK, so the government’s stance is not surprising. The regulation will also support the digital economy in the UK and around the world as it develops.
Data collection and exchange – including large amounts of often sensitive personal data – will underpin the growth of digitalisation in financial services. Protection of this data is therefore vital as we build broader public confidence in the digital economy.
In the UK, the Information Commissioner’s Office is the lead supervisory organisation with responsibilities for the implementation of GDPR. At the end of last year two leading charities were subjected to significant fines for breaching the ICO data rules. The GDPR will give the ICO the power to impose fines of up to 4% of total global turnover on firms, so not complying with the regulations could be very costly.
The GDPR defines personal data as “any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.” This is a broad definition and firms need to get to grips with the implications.
With the implementation of GDPR, people will also be given greater control over their data. This means agreeing in advance for it to be used and having the ability to withdraw its use. In practice, most of us are comfortable sharing some of our personal data, we do it all the time online. But, as the ICO points out, we also have a right to expect firms to keep that information safe, be transparent about its use and for firms to demonstrate their accountability for their compliance.
Although the ICO will be the lead supervisory authority in the UK it will be possible for other supervisory authorities to intervene if an issue relates to a data controller – the entity that determines the purposes, conditions means of the processing of personal data – or a data processor – an entity which processes data on behalf of the controller – established in their member state, or if data subjects in their member state are otherwise substantially affected.
The GDPR is a complex piece of legislation and it is important for financial advice firms to understand the implications for how they conduct business. The ICO and EUGDPR websites offer useful information and are good places to start.
Being compliant with GDPR will differ from business to business and firms will need to gain an understanding of how they use data today. For many, the new regulations could be a game changer, so making sure that you appreciate the implications for your business should be a priority.
David Dalton-Brown is director general of Tisa
