This article was written by Julie Griggs and first published in the Iress Industry Voice magazine.
Over the years consumer trust has been abused and some companies in the UK have taken advantage of consumers’ willingness to share information about themselves. This year, the General Data Protection Regulation (GDPR) will further enhance and protect consumer privacy. Although GDPR is technically EU legislation, the UK government has confirmed that it will still apply following the UK’s withdrawal from the European Union and so it is important that businesses in this country adapt quickly. Details of the new regulation can be found on the ICO website.
‘Accountability’ and ‘transparency’ are two terms with which we are familiar in the financial services sector, considering we have respected the need for our clients’ privacy for many years. Therefore, the new regulation should only enhance our efforts and make them even clearer to our clients. A few adjustments to our existing systems should be enough to ensure that we are compliant and will be able to carry on with ‘business as usual’.
The principle of accountability is new in the context of data protection law. However, financial firms are already subject to comparable obligations under the FCA’s regulatory regime, including the requirement for companies to take reasonable care to organise and control their affairs responsibly and effectively, with adequate risk management systems.
Select the correct lawful basis for processing
You will need to select the correct lawful basis for processing – see the ICO website for the options. All data, processing applications and contacting existing customers at renewal will fall under the lawful basis, having a legitimate interest. As we have a legal obligation to hold data under the FCA then we would not use the lawful basis of consent.
It is likely that regulated firms’ will only use consent to market to customers and please remember, you can only use consent if you can offer the customer the right to withdraw and be forgotten. You will have to keep consent in mind for every single, non-essential interaction with clients, for example if you wish to send your clients a Christmas card (if it is addressed to an individual and not a company), you will need to have their consent!
Make sure that you are aware of and document all potential interactions with your clients and have a compliant process in place for each of them.
All of this means that you must maintain full records to demonstrate compliance and these records must always be kept up-to-date. If the individual will not give consent for their data to be held going forwards, this should not have any bearing on the services being offered to them. You will need to ensure that the client can withdraw their consent at any time and that this should be a simple process.
Under the FCA rules, financial brokers have to retain client data for at least six years. As long as this is kept separate, safe and not used for any purpose, we should not have to change any procedures. However, advising the client that you are required to keep their data for this purpose as an additional notification would be advisable, as this might not be something that they are already aware of.
Do not panic!
If you have not already started to evaluate your current processes and databases in preparation for GDPR’s introduction in May, you should start to do so. There is plenty of information available to give you advice on the exact steps to take. You should review your systems now and also nominate a data controller who will deal with the changes. Be sure to update the wording on your application documentation and declarations to ensure that all aspect of the new rules are covered. This will ensure that when you sign up a client, you will have their consent to engage with them, by way of them opting in for future contact and/or marketing and to be able to hold their information.
Although at first glance this new regulation might seem to be just another hoop to jump through, in fact it is an opportunity to secure your clients’ trust by becoming even more transparent and accountable. There is no need to panic and with some straightforward adjustments, you will soon be GDPR ready!
By Julie Griggs, Director, CPC Finance