With the General Data Protection Regulation (GDPR) looming on the horizon, this week’s blog examines the sizable implications that this game-changing framework carries for the financial services sector. From consent criteria to transparency, from new employee roles to overhauling your business’ data governance, here you’ll find all of the key details that your firm needs to ensure GDPR compliance come May 25th and beyond.
Up until now, the manner in which UK companies were allowed to gather, store and / or utilize the personal data of their customers has been regulated by the UK Data Protection Act 1998 as well as other European Union (EU) legislation. That all changes on May 25th this year, however, with the implementation of a new framework that – alongside pre-existing legislation such as the Privacy and Electronic Communications Regulations (PECR) – sets the standards for personal data usage across all 28 EU member states.
Dubbed the General Data Protection Regulation (GDPR), the framework expands upon past legal documentation such as the DPA 1998 by imposing revised criteria for the manner in which businesses must henceforth process personal data, deal with customer / client requests on the subject, tackle cybersecurity breaches as well as maintain transparency in terms of their data management systems.
At the GDPR’s core, however, lies the matter of how businesses should approach processing personal data in a lawful manner. Going forward, companies and their designated data controller(s) must prove to the GDPR and Information Commissioner’s Office (ICO) that their data processing operations fulfil one of the following criteria:
- The data subject (i.e. the customer / client) has given consent for their personal data to be processed
- Processing the data allows the business to complete a contract involving its data subject
- Processing the data ensures their compliance with a legal obligation
- Processing the data ensures protection of “vital interests” of the data subject
- The business is carrying out this data processing in the public’s interest or due to the exercise of official authority (e.g. if they’ve been instructed by police to store this information)
- Processing is “necessary for the purposes of the legitimate interests pursued by the controller or a third party” unless a data subject’s “fundamental rights and freedoms” override these “legitimate interests”. If the data subject is under the age of 18, for example, then their rights to personal data protection may well outweigh other interests.
What is Consent?
The matter of consent will probably sound most familiar to financial services businesses out of those data processing criteria mentioned in the last section, not least given its longstanding prominence in data protection legislation. That said, our legal definition of the term will soon change substantially thanks to the GDPR’s Article 6 and Article 7, the latter of which sees the EU outline the specific conditions under which firms must obtain and continually manage their data subjects’ consent:
- Any request by your business for a customer / client’s consent to use their personal data must be presented in an “intelligible and easily accessible form” that deploys “clear and plain language” when explaining what this mutual agreement entails
- This is doubly important when the customer / client provides their consent as part of a “written declaration which also concerns other matters”; here the request for consent must be “clearly distinguishable” from any other points read / actions taken by a customer when applying to work with your financial services firm
- Keep in mind too that the data subject can legally withdraw their consent at any time following their initial provision, meaning that processing reliant on consent may not be further carried out.
As discussed previously, consent is only one of numerous grounds for data processing, with others including data necessary for the purpose of a contact, complying with legal obligations or processing in the public interest. You’ll need to consider which criteria your data processing methods / purposes best befit and be able to demonstrate as much (for instance your obtaining of consent or how the processing serves the public interest); if you cannot, then there’s a risk that your firm may fail to fulfil this key aspect of GDPR compliance and incur steep penalty fines of up to €20m / 4% of its global turnover as a result.
GDPR Compliance Strategies for Financial Services Firms
So where do all of these sweeping regulatory shifts leave your financial services business in terms of next steps and the wider industry landscape? Worry not if you’re unsure as to the answer(s), since you’ll find below a series of recommendations – based on our own expertise as well as statements / publications issued by the Financial Conduct Authority (FCA) and ICO – as to how your business can prepare for itself for the era of GDPR compliance…
- Foster Staff Awareness – Given the widespread implications that the GDPR will hold for your business going forward, there’s no time to waste in terms of making your staff aware of the key information that pertains to them. For those employees who’ll only occasionally come into contact with personal data, that might simply mean detailing the rules and procedures in place when handling such information or reporting signs of cybersecurity breaches to their seniors. For executives and designated data controllers, however, checking that they understand the type(s) of personal data which your firm holds, how to delete this if requested, individuals’ rights and the workings of privacy impact assessments are all key components of ensuring their joint GDPR compliance.
- Develop or Hire Data Protection Officer(s) – Are your company’s designated data controllers and processors involved in what the GDPR terms as “regular and systematic monitoring of data subjects on a larger scale”, or “processing on a large scale of special categories of personal data and data relating to criminal convictions and offences”? If so, then they’ll soon need to recruit or develop a Data Protection Officer (DPO) who can assume control of your data protection compliance activities and report cybersecurity breaches to the ICO should any arise. If not, then it’s still advisable to appoint a “data protection lead” among your staff who can be called a DPO and have much the same rights as someone hired into that role. Any data controllers in your organisation should also consult the ICO’s GDPR guide for details on what criteria they’ll need in place when hiring data processors going forward.
- Monitor Future FCA / ICO Communications – Most of the FCA Handbook’s rules pertaining to data protection will continue to apply under the GDPR, but the Authority has stated that it will work alongside the ICO going forward “to address concerns firms raise and support firms’ preparations” for the Regulation’s implementation. As such, financial services firms should certainly keep an eye on both the FCA and ICO’s future publications, particularly in relation to the evolving “memorandum of understanding” between the two regulatory bodies. For instance, the FCA’s Senior Management Arrangements, Systems and Controls (SYSC) module could soon begin to evolve, but for now the Authority has reiterated the need for firms to “establish, maintain and improve appropriate technology and cyber resilience systems and controls”.
- Consult Past Data Protection Legislation & Codes of Practice – The ICO emphasises in their guide to GDPR compliance preparations that “many of the GDPR’s main concepts and principles are much the same as those of the current Data Protection Act 1998”. For those businesses uncertain as to whether their current data processing systems will suffice once the Regulation comes into effect, one beneficial step could therefore be to consult the DPA 1998 to ascertain whether its present practices comply with that document’s requirements, since there’s a fair chance that they’ll also comply with those of the GDPR as a result.
- Clarify Your Company’s Data Governance & Systems for Assessments – At times the ICO will require businesses to conduct privacy impact / data protection impact assessments as part of the GDPR’s enhanced efforts towards procedural transparency. It’s vital, then, that your business’ key decision makers / data controllers are aware of the systems in place to collect, store and remove data and are able to demonstrate how these operate, as well as your firm’s overall data governance structure. The ICO have suggested that firms might want to consider conducting information audits to promptly ensure their awareness of data held / whom it’s shared with, but a strong starting point is to visit the Article 29 Working Party’s website for their guidelines on what these impact assessments entail and how best to prepare.
- Look Ahead to Brexit – Of all the changes that Brexit may bring for the UK business status quo, doing away with the GDPR won’t rank among them. As mentioned in our 2017 blog on GDPR implications for UK recruitment, non-EU organisations doing business in the Union with its subjects’ personal data must still comply with the Regulation, which in turn means that those financial services firms operating in other EU member states (also known as ‘cross-border processing’) will still need to determine their “lead data protection supervisory authority” beyond March 2019. Head here for further details on how your firm can identify which international body fulfils this role in relation to your specific activities.
Find out more
We hope that you’ve found this article of use in terms of learning what steps financial services firms should take in preparation for the GDPR’s impending implementation. Be sure to consult the official documents referenced in the blog for further details on GDPR compliance and get in touch with us on our Twitter and LinkedIn pages to let us know your thoughts and concerns about what’s ahead in the GDPR era.