EU legislation will affect Data Protection whether in or out.
And there is not much change in the EEA, because most financial services legislation is EEA wide, not EU wide, and that certainly includes MIFID. But one matter that does stay within EU is the data protection reform that is coming your way for full implementation in 2018. This EU directive is different to EU regulation, because it must be transposed, verbatim, and no member interpretation or amendment is allowed at country level. The aim of the regulation is to harmonise EU data protection law within the EU. This makes sense since so much information now goes cross border. According to the BCCA (consumer credit trade body) it is not uncommon for EEA members anyway to have exactly the same legislation to their EU counterparts, in order to facilitate free trade.
The key changes from the data protection law at present are summarized here
Joint obligations and liability for data controllers and data processors.
Mandatory data protection officers for most businesses like retail financial services. However this can be outsourced to firms like ours which specialize in holding data.
It will be mandatory to report a breach to the data protection regulator as well as to consumers.
The policies and procedures that you all have in place (see the doc library) will now be mandatory. We will be updating ours in good time.
Customers will have to take positive action to agree consent. This means that client agreements will have to be signed by clients in future. We will get the originals amended in good time.
Subject access responses will be free going forwards.
Privacy impact assessments must be carried out and evidenced where new technologies are being deployed.
Fines of 4% of revenue can be levied.
This is all coming your way - oh the excitement. All in all there are not many changes, and not much to worry about – just a mild tightening up but mostly in line with common sense. However if you have read some of the commentary (my ghastly competitors) on the subject you would be forgiven for thinking that the end of the world is fast coming upon us. But one thing is sure, the emailing client files should always be encrypted, or better still use a system such as Bat.