Authorised and regulated by the UK’s FCA to provide investment accounts, we are bound by CASS rules to segregate and protect client assets.
The EU’s new data privacy regulation was approved by the European Parliament on 14 April 2016, but only comes into effect this week. The aim is to harmonise data protection laws across Europe and – regardless of the Brexit process – it will apply in the UK. If and when Brexit actually happens the situation is unlikely to change much. The current plan is to incorporate the GDPR into UK domestic law and the extra-territorial nature of the GDPR means it will apply to many UK businesses following Brexit in any event.
The GDPR will apply to any business operating in the EEA and to any business outside the EEA offering goods or services to EEA citizens. It covers all personal data, meaning any information relating to a person who can be directly or indirectly identified.
As a result of the GDPR, individuals’ rights in relation to their personal data are enhanced, including the right to basic information about how their data is collected and used and the right to access that data and receive a copy of it. The law also introduces a right to have data deleted – popularly known as the ‘right to be forgotten’ – and a right to data portability, so individuals can easily and securely transfer their personal data between businesses.
It is complex and potentially far-reaching legislation, yet many companies appear unprepared. A survey by consultancy firm EY published in January found just 33 per cent of respondents had a plan to address GDPR compliance. However, the financial services sector may well be in a better position than most, according to Alice Kingdon, Legal Counsel for Dolfin.
“Financial services firms are already closely regulated by the FCA, and take information privacy and security very seriously, so I think they may already be in fairly good stead for GDPR compliance” she says.
That said, all financial services companies will have been working intently over the past two years to ensure they are compliant. Taking steps to understand what their obligations are, what their current processes are and identifying gaps. Many will have upgraded their IT systems, updated their internal policies and procedures, educated the workforce on the new regime and brought their suites of legal documentation up to date.
“GDPR is an opportunity to make sure all your data security and privacy measures are robust and fit for purpose”
Alice Kingdon · Dolfin
“For the financial services industry, it’s an opportunity to do a bit of a health-check, to make sure all of your data security and privacy measures are robust and fit for purpose,” says Kingdon.
Although the new rules apply across the EU, there is scope for member states to diverge in some areas, such as employment law. That means there could be subtle differences in how data is treated in different jurisdictions. In addition, companies that operate in more than one member state will be able to decide which country’s data protection authority will be their lead authority.
Doing the right thing
Going forward, companies will need to be able to respond to clients who want to, say, check their data or even delete it. Of potentially greater significance for financial services firms is if a client wants to take their data to a different provider – but this could be an opportunity as much as a burden for firms, as it means they can also offer a more seamless on-boarding process to new clients.
“There is no need to panic.”
Alice Kingdon · Dolfin
It remains to be seen how regulators will react to breaches of the GDPR, but the costs of non-compliance could be high. Any breach of the law’s core principals – which include only keeping data that is needed and only for as long as necessary and ensuring it is accurate and stored securely – could lead to a fine of €20m (£17.5m) or 4 per cent of turnover, whichever is higher. If a company suffers a security breach and data is compromised it must notify the data protection authority and, if there is a risk to clients, they must be notified too – failure to do so could attract a fine of €10m or 2 per cent of turnover, again, whichever is higher.
“There are some big numbers involved, which are catching the headlines,” says Kingdon, “but as a financial services firm, compliant with the old data protection regime, there is no need to panic”.