GDPR came into force in the UK on May 25 2018, and alongside the Data Protection Act 2018 superseded personal data obligations for companies under the Data Protection Act 1998.
The regulations affect any organisation that holds or processes personal data, but warning bells are still being sounded over internal processes and procedures at some advice companies.
Paul Grainger, chief executive of Complyport, said gaining explicit client consent for data sharing remained the “most important challenge” facing financial advisers.
But the compliance boss warned many companies were “simply not sufficiently well versed” in the detail of GDPR.
Mr Grainger said: “Under GDPR, for personal data sharing to be permitted and valid, the data sharing must be for a legal purpose, and the main legal purpose applicable to financial advisers is that it is required to fulfil a contract or that a client has given consent.”
Noting that financial advisers typically share data with providers, he added: “For client consent to be valid, it is not good enough to assume that a client has not objected or to work on an opt-out basis.
“Consent must be affirmative, specific, informed, unambiguous and freely given, and firms must also be mindful that a client has a legal right to withdraw consent.
“If these conditions are not enforced by robust processes and procedures, a firm may find it has breached GDPR requirements and potentially face serious consequences.”
Some other pitfalls for advisers include the length of time client that data can be retained by a firm, and a lack of understanding that paper records, as well as electronic records, contain personal data.
William Rimington, managing director of cyber risk at Kroll, a division of compliance giant Duff & Phelps, said a number of organisations were still struggling to meet their obligations when confronted with tasks like subject access requests – where an individual can demand details of all the data held on them by a company.
Mr Rimington said: “For this reason, a couple of organisations recently had us look at their corporate policies, procedures and documentation with regard to how personal information is stored and managed.
“Some of these areas were in a poor state and were not tailored to the specific needs of the business.”
Mr Grainger warned that, for businesses with large amounts of legacy paper files, determining those that may contain personal data could be a “very time-consuming challenge”.
The Information Commissioner’s Office, the independent body set up to protect information rights in the UK, received 799 reports of personal data breaches across the finance, insurance and credit sector in the first three quarters of the 2019-20 financial year.
But the ICO has yet to levy significant volumes of fines for non-compliance. The organisation noted in its 2018-19 annual report that it “hadn’t been easy” for small and medium-sized organisations to meet GDPR challenges.
Mr Rimington observed: “There seems to be some ‘teeth’ missing when it comes to fines, at least thus far. Nearly 18 months in, relatively few fines have been levied, but this may be starting to change.”
rachel.mortimer@ft.com
What do you think about the issues raised by this story? Email us on fa.letters@ft.com to let us know.
