As consumers, many of us have become used to handing over our personal information to companies, only to feel slightly uneasy when we hear about another data breach in the news.
Likewise, financial advisers and financial services firms are familiar with the process of collecting data from clients and storing it.
But recently, companies across various sectors have come under scrutiny for data breaches which left their clients’ data vulnerable.
One of the world’s largest social media sites, Facebook, has made headlines for all the wrong reasons as it was revealed the way in which some users’ data was used may have helped recent election outcomes.
As of 25 May this year, the General Data Protection Regulation, or GDPR, will come into force, replacing the Data Protection Act of 1998.
Steve Snaith, technology risk assurance partner at RSM, describes GDPR in a nutshell: “The new legal framework is the biggest change to data privacy legislation in over two decades, and aims to protect EU citizens’ personal data, regardless of borders or where the data is processed.
“The regulations will transform how businesses need to store and manage personal data and will replace current EU data legislation.”
The legislation is being introduced to protect consumers from companies using their data unlawfully and from being left vulnerable should any of those companies that hold their data suffer a data breach.
Linda Gibson, director of regulatory change and compliance risk at BNY Mellon’s Pershing, notes: “New provisions require people to give explicit consent around use of their data – a pre-checked box is not enough – and give individuals the right to access and take greater control over the data you hold on them.
“There are also increased sanctions for data protection breaches and notification requirements when a breach occurs.”
The GDPR rules should also help firms be prepared in the event they are the victim of a cybersecurity incident, ensuring they have the correct policies and procedures in place to handle such a threat and deal with it appropriately.
Companies which fail to do so face significant penalties of as much as €20m, or 4 per cent of global annual turnover.
Giulia Lupato, senior policy adviser at the Personal Investment Management and Financial Advice Association (Pimfa), lists the main points for adviser firms to note as they prepare for GDPR to come in:
- GDPR describes the lawful grounds for processing of personal data.
- Requires firms to have in place adequate personal data risk management, policies and procedures.
- Requires robust record keeping and audit trails.
- Contains an obligation to notify the regulator of breaches.
- Contains enhanced data subject rights such as the right to erasure, data portability, objection to processing, for example for direct marketing purposes.
- Contains information obligations to data subjects.
- Contains enhanced regulator investigation and sanctioning powers.
It comes hot on the heels of Mifid II, which was introduced at the start of the year.
So is there any crossover between the two?
Ms Lupato says GDPR is certainly not intended to create inconsistencies with other legislation, such as Mifid II.
The main difference between the two is that GDPR will require firms to change the way in which they store and process that data, according to Ms Gibson, while Mifid II requires firms to increase the amount of data they collect and store.