Two months into the new rules, advisers are still far from welcoming the change
The General Data Protection Regulation came into force on 25 May. The new rules require personal data to be purchased lawfully and fairly and only collected for specified and legitimate purposes. It must be relevant and limited to what is necessary for it to be processed, accurate and up to date, and processed in a manner which maintains the appropriate level or security for personal data.
Here is a reminder of the changes the industry has had to deal with:
- New accountability requirements: Compliance to the principles must be demonstrated and a written record of data protection activities must be kept at all businesses.
- Extended territory of regulation: Any data controllers or processors outside the EU which supply goods and services within the EU must also comply where relevant. This even applies to US based email systems, like Gmail or Hotmail, which store emails on servers and therefore store personal client data within the US.
- Data protection officers: An expert must be named in data protection law and practices in certain companies and places that conduct large scale processing of special categories of personal data.
- Rights for data subjects extended: Subjects have the right to request the removal or restriction of their data, request for their data to be moved to a different data controller, have their data erased, and can no longer be charged to view their own data.
- New European Data Protection Board: This has been created to issue opinions and guidance to ensure consistent application of processes.
- Notification requirements: Advisers must inform their relevant data protection authority in the event of a breach within 72 hours.
- Fines: The Information Commissioner’s Office can apply fines to the greater of 4 per cent of annual turnover or €20m for severe breaches, and 2 per cent of turnover or €10m for less severe breaches.
- Consent: Data controllers must have a reason for processing data, must have consent from the subject to hold their data, and consent must be given freely and without confusion or ambiguity.
For advisers, the biggest concerns focus on the client’s right to be forgotten and the fact newsletters and keeping in touch activities can be stopped.
‘Sledgehammer to crack a nut’
So, a couple of months into the new rules, we recently asked our members whether they thought GDPR posed a threat to their business. Encouragingly, just 36 per cent said yes and 64 per cent said no.
But while the overarching response was that it is not a threat, it is certainly not seen as a welcome change. Many said there has been a cost to implementing new systems or processes, both monetarily and time-wise, and there were also comments around the capability of back office systems recording client preferences.
One respondent called the new regulation a “sledgehammer to crack a nut”, with another saying: “What’s the point? Cold callers and scammers will find a way to get around it anyway.”
The most important issue for firms is to ensure that they understand the new rules, so they do not fall foul to the heavy fines
There is also concern that the interpretation of GDPR differs between firms. What is more, some said they had not made any or only minimal changes, as they were already Data Protection Act compliant. As one commentator put it: “GDPR is only an extension of what we did. It also enables us to further assure the client on the level of our service and the care we take of their information.”
While the additional burden of regulation is not going to close businesses, it is clear most advisers have not welcomed the changes and stricter rules.
The most important issue for both established firms and those new to the industry is to ensure they understand the new rules, so they do not fall foul to the heavy fines, and can flourish in the new world.
Tom Hegarty is managing director of the New Model Business Academy