View more on these topics

Everything you need to know about incoming data protection regulation

Technology-Binary-Data-Tech-Code-700.jpgThe new regulation requires a culture change in terms of how personal data is perceived and treated.

With less than four months to go until the implementation of the General Data Protection Regulation, strategies to comply should be nearing completion.

There are differences of opinion on some aspects and, as with all pieces of major legislation, not everything is black and white. There is room for interpretation. There are also specific challenges for the regulated financial services industry.

Many of the existing principles of the Data Protection Act are being carried into the new GDPR legislation. There are some new requirements to bring legislation up to date with technological changes and the law will have much sharper teeth, with penalties for non-compliance and data breaches much higher.


Whether data is held on paper files or electronically, you need to record the types you are processing, the reason for processing and how and where it is held. One of the principles of the GDPR is that you should only hold personal data that is necessary for the intended purpose. Processing includes collection, recording, storage, alteration or use of personal data.

There are several lawful bases on which data can be processed. Consent is only one of those bases and is often not the most appropriate one to use. You are likely to use “processing is necessary for the performance of a contract” as the primary lawful basis, although consent is required for the processing of special categories of data such as health information.

Marketing activity

Marketing activity can only be undertaken where your client has given explicit consent to receive marketing material from you. The standard for consent is set at a higher level than under current data protection law. It needs to be a positive opt in and clients will have a right to withdraw consent at any time.

While it has been argued that marketing can be undertaken on the basis of a legitimate business interest, this is unlikely to hold water. Legitimate interests can only be used where they are not overridden by the rights and freedoms of the data subject. As there is a fundamental right to object to personal data being used for marketing purposes, the advice is to get the appropriate consent.

Clients’ rights

All individuals (data subjects) will have the right to be informed about how and why you process their data, the right to access their data, to rectify incorrect information, to request you to move their data to another data controller and deletion of their data if you no longer have an appropriate lawful basis on which to process it.

You do not need to comply with a request for deletion where you have a regulatory responsibility to retain the data and, beyond that, where you have an interest in retaining it against the possibility of a future claim. But your retention policy needs to be clear within the terms of a privacy notice document.

Staff awareness

Staff awareness of the GDPR requirements is vital. All staff who may come across personal data will need to have knowledge of the data protection principles and the practical application of the GDPR within your firm through your own internal policies. This should be refreshed and tested on a regular basis.

You will need to implement appropriate, proportionate, accountability and governance measures. This may include organisational measures such as internal data protection policies, staff training, auditing of processes and maintaining relevant records of processing activities. These measures will help you to demonstrate compliance with the GDPR.

Third parties

As a data controller, you must have contracts in place with any third parties that process personal data on your behalf that cover responsibilities and liabilities under GDPR of both parties. There are compulsory inclusions for these contracts such as, for example, that the processor can act only on the written instructions of the controller, a duty of confidence when processing data, and having appropriate data security measures in place.

Your own data security measures are vital as you would expect. The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.


You will need to report certain types of personal data breach to the Information Commissioner’s Office. You must do this within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay. You must also keep a record of any personal data breaches, regardless of whether you are required to notify.

The ramping up of data protection law that the GDPR brings, together with the stiff financial penalties and the background of longstanding and wholesale non-compliance with existing data protection law, means the new regulation is something of a culture shock.

It also requires a culture change in terms of how personal data is perceived and treated. The general media is already active in publicising the changes. You need to be prepared.

Jon Roberts is compliance policy consultant at Threesixty



Regulation: Do Mifid II and the GDPR have conflicting aims?

Two significant pieces of legislation are set to impact the investment management industry in the coming year; Mifid II and the General Data Protection Regulation (GDPR). On the surface they appear to have conflicting aims, with the enhanced monitoring requirements under Mifid II seemingly incompatible with the enhanced data protection requirements of GDPR. Firms must […]

Compliance tip: Meeting FCA expectations around culture

The FCA’s focus on firms’ culture and conduct is set to intensify as it begins its preparations to roll out the Senior Managers and Certification Regime. The consultation papers released in December provide a good indication of the regulator’s direction of travel, with culture, particularly the tone from the top, being a key consideration. Below […]

Compliance tip: Reducing Gabriel completion stress

The deadline is looming for many firms’ Gabriel reporting. Parts of the return are easier to fill in – training and competence, complaints, PI policy details, for example. But the accounting and capital adequacy sections need more preparation, as you will generally need to delve into management information or consult your accountant. A lot of […]

Peeling back the layers: The Mifid II effect on fund of fund fees

Firms that offer multi-manager funds have defended their strategies following mounting pressure on the industry in light of new cost disclosure rules. Concerns exist that multi-manager funds, which are by nature more expensive than single strategy funds, would have even higher costs when transaction fees are put under the spotlight.Money Marketing has analysed some of […]


The Brunner Investment Trust – April 2017

Welcome to the latest update for The Brunner Investment Trust PLC from the Trust’s portfolio manager, Lucy Macdonald. Market Review Global equities have rallied over the first quarter of 2017, buoyed by signs of strengthening growth and optimism over company earnings, although this rally has faded towards the quarter end. US equities posted their strongest […]


News and expert analysis straight to your inbox

Sign up


    Leave a comment