Data protection  

Big GDPR fines not just for breaches, advisers warned

Big GDPR fines not just for breaches, advisers warned

Advisers have been told they shouldn't assume the biggest penalties under the incoming General Data Protection Regulation will be for massive data breaches.

Top level fines can also be handed out for simply emailing people who haven't consented, delegates were told today (22 March).

The conference on GDPR - EU-wide regulation which comes into force in the UK on 25 May - was organised by the Personal Investment Management and Financial Advice Association.

Article continues after advert

Duc Tran, a senior associate at law firm Herbert Smith Freehills, said the GDPR regime allowed regulators to levy tier one and tier two fines.

The second tier will be up to €10m (£8.7m) or 2 per cent of turnover and the first tier will be up to €20m (£17.4m) or 4 per cent of turnover.

Mr Tran said: "If you have done mass spam marketing to clients that are not expecting it, it will be a breach of any one of articles five, six, seven and nine of GDPR and will be tier one.

"It is not just huge scale data breaches that attract huge fines. It is errors and lapses in the ordinary course of business that can attract the highest level of fines from the Information Commissioner's Office (ICO)."

However Mr Tran said the ICO tends to hand out smaller fines than other regulators, which he said may reflect the fact it is not funded by the fines it levies.

The ICO has only fined 17 per cent of the maximum level that it is able to, which is an average maximum fine of £80,000.

Mr Tran said: "They tend to place more of an emphasis on education, and helping organisations get into the place they should be rather than instantly going to the issue of fines."

GDPR, which is a Europe-wide regime, introduces a number of regulations which will affect financial advisers.

These include clients' right to erasure, meaning an individual can request the deletion of personal data relating to them, and the right to access, meaning an individual can demand information on how their data is being used and a free copy of their personal data.

It also introduces the right to data portability, which means a person must be able to transfer their personal data from one system to another without being prevented by the handler of their data. 

Meanwhile explicit consent must be obtained for the collection of data and all the purposes it is used for, while all data breaches must be reported within 72 hours.

Wendy Saunders, also a senior associate at Herbert Smith Freehills, said advisers would also have to make sure and companies they outsourced their services to complied with GDPR and this would have to be addressed in the contract.

She said: "In fact the ICO has plans for a standard clause for the transfer of data."

damian.fantato@ft.com