Data protectionApr 12 2018

What is GDPR in a nutshell?

twitter-iconfacebook-iconlinkedin-iconmail-iconprint-icon
Search supported by
What is GDPR in a nutshell?

As consumers, many of us have become used to handing over our personal information to companies, only to feel slightly uneasy when we hear about another data breach in the news.

Likewise, financial advisers and financial services firms are familiar with the process of collecting data from clients and storing it.

But recently, companies across various sectors have come under scrutiny for data breaches which left their clients’ data vulnerable.

One of the world’s largest social media sites, Facebook, has made headlines for all the wrong reasons as it was revealed the way in which some users’ data was used may have helped recent election outcomes.

As of 25 May this year, the General Data Protection Regulation, or GDPR, will come into force, replacing the Data Protection Act of 1998.

Steve Snaith, technology risk assurance partner at RSM, describes GDPR in a nutshell: “The new legal framework is the biggest change to data privacy legislation in over two decades, and aims to protect EU citizens’ personal data, regardless of borders or where the data is processed.  

“The regulations will transform how businesses need to store and manage personal data and will replace current EU data legislation.”

New provisions require people to give explicit consent around use of their data – a pre-checked box is not enough.Linda Gibson

The legislation is being introduced to protect consumers from companies using their data unlawfully and from being left vulnerable should any of those companies that hold their data suffer a data breach.

Linda Gibson, director of regulatory change and compliance risk at BNY Mellon’s Pershing, notes: “New provisions require people to give explicit consent around use of their data – a pre-checked box is not enough – and give individuals the right to access and take greater control over the data you hold on them.

“There are also increased sanctions for data protection breaches and notification requirements when a breach occurs.”

The GDPR rules should also help firms be prepared in the event they are the victim of a cybersecurity incident, ensuring they have the correct policies and procedures in place to handle such a threat and deal with it appropriately.

Companies which fail to do so face significant penalties of as much as €20m, or 4 per cent of global annual turnover.

Giulia Lupato, senior policy adviser at the Personal Investment Management and Financial Advice Association (Pimfa), lists the main points for adviser firms to note as they prepare for GDPR to come in:

  • GDPR describes the lawful grounds for processing of personal data.
  • Requires firms to have in place adequate personal data risk management, policies and procedures.
  • Requires robust record keeping and audit trails.
  • Contains an obligation to notify the regulator of breaches.
  • Contains enhanced data subject rights such as the right to erasure, data portability, objection to processing, for example for direct marketing purposes.
  • Contains information obligations to data subjects.
  • Contains enhanced regulator investigation and sanctioning powers.

Regulatory crossover

It comes hot on the heels of Mifid II, which was introduced at the start of the year.

So is there any crossover between the two?

Ms Lupato says GDPR is certainly not intended to create inconsistencies with other legislation, such as Mifid II.

The main difference between the two is that GDPR will require firms to change the way in which they store and process that data, according to Ms Gibson, while Mifid II requires firms to increase the amount of data they collect and store. 

“It will therefore be important to review Mifid II compliance in tandem with GDPR to ensure that systems used to handle data and retain client information meet both sets of requirements,” she confirms.

Rob Walton, chief operating officer at Intelliflo, clarifies: "The GDPR does not supersede other regulatory regimes, for example Mifid II, in the financial services industry.

"Where data is required to be kept under other regulations, then firms have the right to keep it, but they must be able to justify their reasons for processing the data they hold. The GDPR is not an industry specific regulation, rather it is one designed to improve the data rights of individuals across all industries."

In conflict?

But Mifid II is not the only regulation GDPR will have to sit alongside.

Open Banking was recently brought in, allowing financial services firms in the UK to share customer data with one another with the idea that consumers can better control their money.

The Open Banking website claims: “We were created, in 2016, by the Competition & Markets Authority and the UK’s nine largest providers of personal and business current accounts to change the market for retail banking forever.

“We aim to do that by creating a single standard which regulated and authorised companies can use to access accounts held by a wide range of banks and building societies.”

Jon Szehofner, founding partner at GD Financial Markets, points out: “In terms of how the GDPR will practically work alongside other European regulation, I think it is interesting to consider the Payments Security Directive (PSD2) and the move towards open banking. 

“Both GDPR and PSD2 are built on the principle that individuals own their personal data and should therefore be able to choose how it is used and with whom it is shared. 

“However, the EU’s policy objective to free up consumer access to new technologies is in conflict with the EU’s tough stance on data protection and privacy.” 

He adds: “Firms will need to find the right balance between providing customer data to permit access to new applications while also protecting the data as per the GDPR.”

For those who are wondering where Brexit comes into all of this, as the UK is still a member of the EU as it stands, the rules do apply.

Steven Rhodes, data protection lawyer at Allegis Group, explains: “GDPR is what lawyers call a code: an attempt to get all the law on a subject in one, well-ordered place. 

“This is an area where the EU has set the international standard and, for that reason, it is highly likely to survive Brexit.”

eleanor.duncan@ft.com