Although the GDPR deadline has passed, 25 May was the beginning and not the end. Here are some of the many issues IFAs and MGI firms must consider.
GDPR is now in force and even after Brexit it will remain on the statute books through the Data Protection Act 2018 (DPA 2018).
GDPR means a massive increase in the information that data subjects must receive, a need for more comprehensive records, documented policies and the risk of increased sanctions for non-compliance that will increase exponentially when the FCA take over regulation of Data protection in financial services in 2019.
To borrow the Information Commissioner’s words, 25 May was the beginning and not the end.
There are still many issues for IFAs and MGI firms.
- Data adequacy and Brexit?
The UK will need to demonstrate that there is an adequate level of data protection in the UK to protect its data flows with Europe. The Orwellian sounding “Exiting the European Union Committee” has warned that without an “adequacy decision” in place at the end of transition period businesses will have to implement contract-driven solutions to enable the flow of data from the EU into the UK.
Lay aside your prejudice and scepticism – this is what they said!
- Are IFAs and MGI firms data controllers or data processors?
One issue facing firms is whether they should be classed as a data controller or processor in respect of the personal data they receive from clients.
A data controller is the organisation that alone, jointly, or in common with others, determines the purposes and means of processing. A data processor, meanwhile, processes the personal data on behalf of a controller. We are happy to say that this much is clear when it comes to GDPR: you and your firm will be controllers in respect of the personal data in your clients’ accounts!
Although you will be contracted by the client to perform a specified service, you will determine what information you need to obtain and process to do the work. You also have a number of professional responsibilities outside of simply acting on the client’s instructions - such as duties to report to regulators.
If you are working for other firms – such as referrals from other IFA/MGI firms for specialist work, then both your introducer-client and you are the controllers. In other words, the man on the street can ask you, for, say, fact find records.
- So should “joint controller” provisions of the GDPR apply?
It would be ideal if you could apportion responsibility for compliance under a “joint controller clause”. However we don’t accept that you can in our business, and for this reason, our standard agreements on the document library make you independently liable.
IFA/MGI firms are also processors.
Mandatory terms under the GDPR include conditions which control and limit what the “processor” can do with the data.
You cover this in your DPA agreement...available here...https://ifac.eu/document-library
- Data subject rights requests
GDPR has also expanded the rights data subjects have in relation to accessing, restricting access to, and erasing their data. Mostly we believe that you are covered by the legal basis for holding client data, but the old chestnut-enquiry of clients asking for data as a segway to making a complaint remains. In the old days we refused to provide this information, on the basis that we treat the request as a complaint and go all legal in that way. This is unlikely to wash post GDPR, which leads me onto the Morrisons data leak.
At the time of publication, a class of action of up to 100,000 Morrisons staff are currently in line for compensation under the 1998 Data Protection Act for the upset and distress caused when their payroll data, including names, addresses, bank account details and salaries, was leaked in 2014 by an internal auditor acting on a personal grudge.
Although Morrisons were acknowledged to have had robust security measures in place; responded quickly to mitigate the impact; and had no way of knowing that their employee was intending to abuse his access privileges, the High Court ruled that the supermarket was nonetheless vicariously liable to all subjects affected. This is a worrying development for all IFA/MGI firms. You are vicariously liable for the action of your employees acting on a grudge.