While some advice firms may be a little apprehensive about next year’s introduction of the EU’s general data protection regulation, it offers an opportunity to improve business practices and client relationships.
Firms have a year to prepare for full implementation of the GDPR, which represents the most important change in data privacy regulation in 20 years.
A significant amount of the GDPR was drafted in the UK and the Government has confirmed its introduction will be unaffected by Brexit. Far more data than at present will be seen as sensitive and the rules about obtaining clear, specific consent to use it will also be far more demanding.
Organisations will need to ensure they retain proof that this has been freely given and the client has been fully informed about what is involved.
The majority of firms already treat their client data appropriately. Nonetheless, the regulatory changes are necessary to support the digitisation of financial services and the broader economy.
An important first step for firms will be to undertake some form of data-mapping exercise, which will provide them with an understanding of what data they hold, where their data repositories are and how the data is being used. At the very least, an audit process can identify the data that is useful and how best to leverage its value. Consumers will be given greater control over their data, with added protection over privacy.
Data collection and exchange will underpin the growth of digitalisation in financial services in the coming years, and protection of this data will be central to building public confidence and trust in an evolving financial services landscape.
Keith Richards is chief executive at the Personal Finance Society
Compliance tip of the week: The data protection clock is ticking
Financial services firms now have under a year before the GDPR comes into effect. The GDPR will impact the way firms gather, store and manage the personal data they hold.
With the potential for significant fines and reputational damage in cases of non-compliance, no firm can afford to ignore this significant piece of legislation. To be prepared for GDPR, consider these key areas:
Personal data: Firms need to establish what personal data they hold within their organisation and understand the life-cycle of that data, including any high-risk processing activities.
Infrastructure: It is also important to be able to evidence the legal basis for processing personal data and to ensure this does not conflict with the rights and freedoms of data subjects. Policies should be well balanced to ensure data is effectively protected, and systems and controls should be geared towards data security and protection.
Third-party processors: All firms that process personal data can be held jointly liable with the data controllers for breaches. If a business transfers data to a third party for processing, they will need to ensure their supplier contracts are reviewed and amended where necessary, to ensure all data-handling and processing activities are compliant with the new regulation.
Lorraine Mouat is senior regulatory consultant at TCC