I have been hearing and reading all sorts of interesting and potentially scary things about GDPR and the need for encryption of emails and back ups and so on and so forth. After reading as much as I could find about it on the ICO web site, I failed to find an answer to one key question:
Is encryption mandatory under GDPR emails and back ups and so on?
On Friday, last week, I called the ICO help desk and was given what I thought was a pretty definitive answer and below is my interpretation of the response that I was given
To the answer is encryption mandatory the answer is no. However, there is an ‘it depends’ element and that goes as follows. Under GDPR you are expected to take reasonable steps to protect the privacy of data that you hold for individuals. Just exactly what is reasonable depends on a number of circumstances.
If you are processing sensitive personal data such as religious or health matters, then I would suggest that encryption for the emailing of such data back to the data subject or on to other parties is probably appropriate. I note that many insurance portals use encryption to allow you to pass data through them.
If you are not processing sensitive personal data ( for example mortgage details) then encryption may not be necessary as long as you have the normal procedures and practices in place to prevent unauthorised access to your files or computer systems.
Normal procedures and practices would include password protection for computers, phones, tablets and laptops or any other communication device. Password protection is also appropriate for access to any specific systems that you use for processing personal data such as Trigold, Brain, The Key , any other or bespoke customer management systems that you might use. Physical security would include making sure that papers files and physical device computer back ups are held in locked cabinets and kept in secure offices or premises that are also lockable when unoccupied. Leaving a laptop in a car for example cannot be held secure even with password protection as nationwide found out a number of years ago under the existing Data Protection regulations. Equally taking a backup of you system and leaving it on a pen drive in a locked car or hanging up in the kitchen of a family member’s home cannot be considered reasonable steps to keep data that you hold, private.
Another aspect to consider is how material would the loss of data be. I was given the following example by the ICO help desk. If you were holding a list of names and addresses and payments for a club, you might keep that on paper in a locked drawer in a lockable office. That would be reasonable steps in normal circumstances. However, if you were holding a list of all MI5 agents operating in Russia, it might be more appropriate to keep that in a locked vault with an armed guard because the consequences of a breach of privacy would be more significant in the second case.
On this basis, then I think it might also be reasonable to argue that clients credit or debit card details should not be passed about by unencrypted emails, or rather, the full data required to access and use such cards should not be passed about in unencrypted emails.
Of course, the problem with encryption for emails is that you have to provide the recipient with a key to access the encrypted data. That provides an additional layer of complexity in the process and could prevent or discourage your clients from interacting with you as they should. In the extreme cases that could result in the client going elsewhere and finding a broker who wasn’t making it so difficult for them to transact with you.
No matter what actions you take, there is always going to be the risk that you will experience a breach of data privacy. If that occurs, the first thing that the ICO will look at is how serious your organisation was about data protection. Carrying out a Data Protection Risk Assessment on the firm annually or whenever you make a change to the way that you handle or process data, will provide evidence of your firms seriousness about data protection. This will be an important part of mitigation if you fall foul of the ICO for a privacy breach. I will be issuing an example of a DPRA for a ‘typical broker’ over the next couple of days to enable you to give thought to any potential concerns.
How does all this translate into an action?
If you are processing sensitive personal data then you are advised to encrypt. This includes religious and health matters, sexual orientation and the like. It does not technically include a clients financial circumstances despite the importance that we place on it. This may mean that some of your insurance data may need to be passed through encrypted portals or email systems.
You should not be passing client’s credit card or debit card details through unencrypted emails.
Most mortgage related data does not fall into sensitive personal data category ( although some questions for lifetime mortgages may well do) and so there is no requirement to encrypt either email or security back ups as long as you have taken appropriate measures to protect the privacy of the data that you hold. Appropriate measures in this context is set out in general terms the following paragraph although individual cases and circumstances may vary.
In all cases strong password protection for computers, laptops, mobiles, ipads and so on in order to prevent unauthorised access to your devices. Within applications, once again strong password protection to prevent unauthorised access to systems and the data held within them. Paper files when not in use kept in secure lockable cabinets or drawers that are locked when the office or premises is not attended. Lockable and secure premises that are locked when unattended. Security backups kept in a secure location and on secure devices.
To demonstrate that you take Data Protection seriously, it is advisable to undertake a Data Protection Risk Assessment at least annually or whenever you make a change to the way that you handle or process data. An example will be issued in the next couple of days.
Monday 9 April 2018
Wednesday 14 February 2018
A Quick Update on AML Activity
The FCA has a guide for small firms on dealing with and mitigating the risk of Financial Crime. It can be found here . In it they provide examples of good practice for sanctions systems and controls.
The FCA has previously carried out a thematic review on financial services firms’ approach to UK financial sanctions where it found that many small firms were unaware of the financial sanctions regime and those who were aware had misconceptions about it. It is my understanding that the FCA are now doing another review on the theme, presumably as a follow up.
They have suggested that it is useful to consider the following facts about financial sanctions:
- Standard anti-money laundering checks do not screen clients against the HM Treasury (HMT) list. Firms should not confuse HMT’s financial sanctions regime with anti-money laundering procedures.
- Financial sanctions apply to all transactions, there is no minimum financial limit.
- Politically Exposed Persons (PEPs) are not necessarily financial sanction targets.
- Most listed individuals and entities are aware that they are on the HMT list, which is publicly available. The issue of ‘Tipping off’ (as set out in the Proceeds of Crime Act 2002) should therefore not generally arise.
- HMT’s financial sanction regime is not the same as FCA enforcement action. HMT is responsible for implementing, administering and enforcing compliance with the financial sanctions regime.
The FCA have indicated that is good practice to check:
- your existing clients against HMT’s list
- all new customers prior to providing any services or transactions
- any updates to the HMT list
- any changes to your client’s details (this would only really apply to a mortgage broker where the client has come back for a new product)
Final points to note are that even providing financial advice can be a breach. It is good practice to include directors, beneficial owners of corporate customers in your checks where applicable.
Tuesday 13 February 2018
Are your clients Policially Exposed Persons?
There is, as a matter of routine and almost without fail, regular suggestion in the press about corruption amongst persons who hold public office or who act in forms of public capacity, whether this include heads of state, politicians or even senior managers in charitable institutions. Why only this week I was reading.....
It is pretty obvious that one of a number of popular destinations for overseas PEPs is the UK where funds obtained by dubious means can be used for investments in property, school fees for children and all those many other things that are associated with a lavish way of living.
As a mortgage broker, you are now required to conduct enhanced due diligence on politically exposed persons (PEPs). Although technically, you are not covered by the FCA handbook on Money Laundering, there is an expectation and indeed in all truth an insistence that as a part of your systems and controls for mitigating the risk of financial crime, you will be addressing this issue.
You should be aware that the FCA appear to be conducting some form of thematic review on anti money laundering activity in small firms and that this is a part of the scope of that review. Lenders, who do have a specific obligation under the ML Handbook also have a significant interest in how you deal with this matter when introducing business to them.
You should also make sure that you are absolutely clear about where funds are coming from and where income that is stated has been derived. Third party evidence is good as long as it is valid and doesn't raise worries in its own right (e.g. a bank statement from a sanctioned country should raise alarms).
Where a PEP has been identified however, you should also be undertaking a greater level of scrutiny. Looking around the internet for the individual may turn up some evidence as may a search on the web site of the organisation that has entrusted responsibility to the person.
There are also other plausibility approaches to take. Given that the issues around mortgages will normally relate to income and deposit money, these should be interrogated fully. A full audit trail on deposit monies should be sought. Reviews for suspicious transactions should be made on bank statements and. if sound don't forget to SAR (Suspicious Activity Reports to the National Crime Agency (NCA)). Does the income of the individual support the lifestyle evident in the bank statements that you have available. Are there any other assets of concern in the background?
A check on the HM Treasury Sanctions List would be mandatory in any case but I just state the obvious because it is not always so.
Finally on this point is the matter of proportionality and risk. if you are operating in a market that is home grown and local to you, where you know most of your clients and they either live within a stone's throw or they are past clients who have moved away from the area, then the risk of exposure to PEPs is relatively low. However , it is never absent and you should always be on your guard against unusual or unexplained external contacts particularly introducers from outside of your normal area.
If on the other hand you work in a niche that involves persons of non-UK origin or deals with highly paid employees of non-UK businesses or foreign governments or NGOs for example, then the risk of exposure is greater and you need to make sure that you are on permanent and heightened alert.
There are a number of providers out in the marketplace that specify that they check various lists of PEPs although I am not sure how such lists are complied or who is accountable for them.
In my opinion, the easiest way to find out is to ask the applicants if they are PEPs. I don't necessarily think that it is of value to ask the question, Are you or anyone in your close family or associates, a Politically Exposed Person. It may simply provide a self fulfilling answer.
However, fact finding should be sufficiently robust to ask a number of questions such as:-
Do you, or anyone in your immediate family, hold any position with any of the following organisations (Such as a state other than the UK, a community institution, or an international body)?
If so, obtain Name and contact details on the entity.
What is the exact nature of your relationship with the entity above?
Here you should obtain in their own words the role that they carry out , their remuneration and contact point to obtain verification. If another member of the family is involved then obviously you need the nature of the applicants relationship with that person.
This information should be clearly evidenced on file together with a note from the firms controller to authorise the transaction to proceed.
PLEASE NOTE: I use the term fact finding. I am aware that some fact finds provided by various systems do not include such questions but that is not relevant. What is relevant is that in your own fact finding and know you customer KYC activity, you record that you have asked and that you have gathered any relevant details.
It is pretty obvious that one of a number of popular destinations for overseas PEPs is the UK where funds obtained by dubious means can be used for investments in property, school fees for children and all those many other things that are associated with a lavish way of living.
As a mortgage broker, you are now required to conduct enhanced due diligence on politically exposed persons (PEPs). Although technically, you are not covered by the FCA handbook on Money Laundering, there is an expectation and indeed in all truth an insistence that as a part of your systems and controls for mitigating the risk of financial crime, you will be addressing this issue.
You should be aware that the FCA appear to be conducting some form of thematic review on anti money laundering activity in small firms and that this is a part of the scope of that review. Lenders, who do have a specific obligation under the ML Handbook also have a significant interest in how you deal with this matter when introducing business to them.
Firstly, who is a PEP?
A PEP is someone who within the previous 12 months has been entrusted by :-- a state other than the UK
- a community institution, or
- an international body,
and who fulfils one of the following public roles:
- heads of state, heads of government, ministers and deputy or assistant ministers
- Members of Parliament
- members of supreme courts, or constitutional courts or of other high-level judicial bodies whose decisions are not generally subject to further appeal, except in exceptional circumstances
- members of courts of auditors or of the boards of central banks
- ambassadors, chargés d’affairs and high ranking officers in the armed forces
- members of the administrative, management or supervisory bodies of state-owned enterprises
PEPs will also include this person's family members and known close associates.
PLEASE NOTE THAT A UK MP IS NOT A POLITICALLY EXPOSED PERSON despite what you might think and their own credibility and public performances. If they are doing something wrong and it is illegal, then they are a criminal. If it is morally reprehensible then they are presumably something else. But they are not a PEP.
What do you need to do about PEPs?
Once you have established that you are dealing with a PEP, regardless of the size of your firm, you need to carry out the following:-
- have senior management approval for establishing a business relationship with a PEP
- take adequate measures to establish the source of wealth and source of funds which are involved in the business relationship or occasional transaction
- conduct enhanced ongoing monitoring of the business relationship
What does this mean in practice for a small firm?
Even if you are the only person in the firm, you should ensure that the client file indicates clearly that the person is a PEP and that the controller of the firm ( i.e. it may be you) has authorised the transaction to proceed. There is no prescribed text but a date of action would also be useful.You should also make sure that you are absolutely clear about where funds are coming from and where income that is stated has been derived. Third party evidence is good as long as it is valid and doesn't raise worries in its own right (e.g. a bank statement from a sanctioned country should raise alarms).
Where a PEP has been identified however, you should also be undertaking a greater level of scrutiny. Looking around the internet for the individual may turn up some evidence as may a search on the web site of the organisation that has entrusted responsibility to the person.
There are also other plausibility approaches to take. Given that the issues around mortgages will normally relate to income and deposit money, these should be interrogated fully. A full audit trail on deposit monies should be sought. Reviews for suspicious transactions should be made on bank statements and. if sound don't forget to SAR (Suspicious Activity Reports to the National Crime Agency (NCA)). Does the income of the individual support the lifestyle evident in the bank statements that you have available. Are there any other assets of concern in the background?
A check on the HM Treasury Sanctions List would be mandatory in any case but I just state the obvious because it is not always so.
Finally on this point is the matter of proportionality and risk. if you are operating in a market that is home grown and local to you, where you know most of your clients and they either live within a stone's throw or they are past clients who have moved away from the area, then the risk of exposure to PEPs is relatively low. However , it is never absent and you should always be on your guard against unusual or unexplained external contacts particularly introducers from outside of your normal area.
If on the other hand you work in a niche that involves persons of non-UK origin or deals with highly paid employees of non-UK businesses or foreign governments or NGOs for example, then the risk of exposure is greater and you need to make sure that you are on permanent and heightened alert.
So how to you spot a PEP?
Ok, so all seems most obvious so far but the bit that everyone seems to skirt around is how to spot a PEP?There are a number of providers out in the marketplace that specify that they check various lists of PEPs although I am not sure how such lists are complied or who is accountable for them.
In my opinion, the easiest way to find out is to ask the applicants if they are PEPs. I don't necessarily think that it is of value to ask the question, Are you or anyone in your close family or associates, a Politically Exposed Person. It may simply provide a self fulfilling answer.
However, fact finding should be sufficiently robust to ask a number of questions such as:-
Do you, or anyone in your immediate family, hold any position with any of the following organisations (Such as a state other than the UK, a community institution, or an international body)?
If so, obtain Name and contact details on the entity.
What is the exact nature of your relationship with the entity above?
Here you should obtain in their own words the role that they carry out , their remuneration and contact point to obtain verification. If another member of the family is involved then obviously you need the nature of the applicants relationship with that person.
This information should be clearly evidenced on file together with a note from the firms controller to authorise the transaction to proceed.
PLEASE NOTE: I use the term fact finding. I am aware that some fact finds provided by various systems do not include such questions but that is not relevant. What is relevant is that in your own fact finding and know you customer KYC activity, you record that you have asked and that you have gathered any relevant details.
Monday 12 February 2018
GDPR - Are you sending personal information outside the EEA?
Just a brief note on one possible concern
about GDPR and personal data passing outside the European Economic Area(EEA).
You have to ask yourself a simple
question. Does anything I do result in personal information belonging to
someone else ( e.g. clients) being passed outside the confines of the EEA?
Whilst most of us will answer almost
immediately that it does not, you should consider again. What are your
suppliers up to? In particular what are your email servers and data back up
services up to. Are you sure that stuff isn’t going to the USA or even
Afghanistan for that matter? After all, we talk about storage in the Cloud but
hopefully none of us actually believe that it is somewhere in the ky above! Wherever it is, you can be certain that it sits on a storage device in a
country somewhere.
Data Protection Principle 8 , which
applies now by the way and not just when GDPR comes in, states the
following:-
Personal data shall not be
transferred to a country or territory outside the EEA unless that country or
territory ensures an adequate level of protection for the rights and freedoms
of data subjects in relation to the processing of personal data.
Exactly what constitutes
adequate levels pf protection is down to the European Commission. As far as I can establish, the European Commission has
so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe
Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland,
Uruguay and the US (limited to the Privacy Shield framework) as providing
adequate protection. Adequacy talks are ongoing with Japan and South
Korea.
I do not know at the time of writing whether
this list is up to date as the EU source document was in fact undated.
For most firms, the most likely area of
risk is the USA, partly because of giants like Microsoft, Apple and
many social network sites. These guys have probably all subscribed to the
Privacy Shield Framework. (Microsoft, Apple and Facebook have for example.)
The risk is to establish whether in the secret
machinations of data manipulation, any suppliers of yours are using countries
other than those above ( or in the USA, using firms that are not within the
Privacy Shield Framework). How do you do that, you ask them or you check on the
Privacy Shield web site
The law states that you cannot send personal
data to countries outside the EEA that are not recognised by the EU Commission
or in the case of the USA under the Privacy Shield Framework. ( A word of
warning, the previous framework, Safe Harbor, was thrown out by the courts in
2016 and is no longer acceptable.)
GDPR will bring this legal requirement further
into play and so as a part of your preparation for GDPR, you need to give this
matter a little consideration.
Thursday 4 January 2018
GDPR Update Part II January 2018
This is the second of two updates on GDPR primarily aimed at
firms regulated by the Financial Conduct Authority but in the main it is
applicable to most firms. The updates are intended to give you an oversight into
some of the actions required of you now and what will be required of you later
in the year. May is only a short time away. If you missed the first update you
can find it here.
Having read these two updates, you may begin to come to the
conclusion that GDPR is a big thing. It is without a shadow of a doubt but with
appropriate action in good time, there
should be no problem in delivering a
compliant approach in small firms despite the scaremongering that is flying
about at the moment.
Verbal Disclosure at the outset on the Telephone
You will be expected to tell anyone whose data that you will
be handling a number of things relating to what you intend to use the data for,
who it might be shared with, the data subjects rights in respect of their data,
how long you plan to keep it for. The list is not exhaustive here and will be
summarised in a future update. You will also need to keep a record of when you
gave this information to the data subject. Before proceeding to explain this,
it is worth noting that this does not mean expressly that firms will need to
record telephone calls as has been suggested in a number of ‘updates’ that I
have seen.
There area number of elements to demonstrate that appropriate
disclosure has been made. The first of these is a record that the person communicating
the information to the data subject has been trained accordingly in the new
requirements. This means that their training log should reflect this where
there is a training log (as good as mandatory in the Financial Services
industry). There should also be an approved document that is to be used to
communicate with the data subject. This is likely to be the firm’s privacy
statement (PS) together with a script, if appropriate, to aid in the delivery
of the PS. The PS is a controlled document and should be included somewhere
formal in the firm’s systems of control. Although it is not technically a
financial promotion, the most obvious place to keep it under control is in the
Financial Promotions Register.
Financial Services firms have obligations in terms of
initial disclosures under the FCA Conduct of Business rules and, so it makes
absolute sense to ensure that these disclosures are married to the PS and
delivered at the outset. Firms using a Terms of Business Letter (TOB) as an
initial disclosure document (IDD) could expand the content to include the PS
without too much angst and could extend their initial conversations to include
their obligations under GDPR. Firms that continue to use the old style IDD
originally put forward by the FSA and now pretty much obsolete in its current
form, should consider transferring to a TOB prior to May 2018.
It should be noted that GDPR avoids the term express consent
but does make it clear that there is a requirement to demonstrate that the
client has been adequately informed and that they have given their consent to
the use of their data. It would be advisable to get confirmation from the data
subject either by way of signature, email or some other unique identifier
before processing their data.
Where collection of data is going to undertaken by
telephone, then there needs to be documented procedure, evidence of training
and a suitable script to ensure that disclosure requirements are delivered
before the firm starts to collect and process data. It goes without saying that
the collection and handling of data only starts once you start to document or
record data in your firm’s systems.
New rights for Data Subjects
GDPR provides a number of rights for individuals, some of
which exist under current regulations (but are enhanced) and others that are
entirely new. The following is a list of the rights: -
·
The right to be informed
·
The right of access
·
The right to rectification
·
The right to erase
·
The right to restrict processing
·
The right to data portability
·
The right to object
·
Rights in relation to automated decision making and
profiling.
I am not
proposing to go into detail on each of these rights in this document other than
to say that some of these are new and are potentially problematic, especially
the right to erase. These rights must be made clear to the data subject (client,
AR, introducer and so on) before you start to process their data under GDPR.
Consent for Guarantors and persons incidental to the
client’s data processing
There are a number of different areas for firms to identify
as a lawful basis for handling data. These may vary firm to firm and can vary
within different data subject groups within the firm. One of the purposes of carrying out a data
mapping exercise is to establish the correct legal base of legal processing.
For most intermediary firms, it is likely that you will use
‘Consent’ as the lawful basis for processing data for your clients in
almost all cases and this means that in addition to obtaining consent from your
clients, you will need to obtain consent from any other person involved in the transaction.
This may include guarantors, adults over the age of 17 living in the property,
children – a particular area where care must be taken. Data is data and, so it
matters not whether the client is the data subject or the guarantor or whoever
is the data subject, GDPR applies the same in all cases.
A final point here is that the lawful basis for processing
may differ for employees and for introducers of business. Whichever option you
go for, your privacy notice will need to explain this.
Agreements with third parties e.g. AR agreements and
Introducer, Employment Contracts
Within the agreements that you hold with third parties where
these are individual data subjects, you will need to ensure that you have
obtained consent to handle and process their data. This includes Appointed
representatives and their staff if applicable, introducers & locums. The
same will apply to employment contracts. You will need to review existing
documents to ensure that these will satisfy GDPR – they probably will not.
Equally, you will want agreements with third party suppliers
to satisfy the requirements of GDPR in relation to any data that you might pass
on to them either for yourself, your employees and ARs, introducers, clients
etc.
Web Pages
GDPR has come in in part to deal with the issues of the
digital age and therefore web, internet and other ethereal activity will have
to be looked at very carefully. Because this is such a big subject, it is going
to be dealt with in its own bulletin at a later stage.
There is a lot of scaremongering in the press about the use
of emails after GDPR. I have not yet completed my research on this but I would
offer the following observations at the present time.
It is down to each firm to undertake its own Data Protection
Impact Assessment (DPIA) on the issue of email communication and to establish
whether this poses an undue risk in transmitting client data. The outcome of
such an assessment might be that unencrypted emails are not safe for the firm to
use with client data. However, firms can exercise no impact on the clients view
of the world and if they choose to send on unencrypted emails then arguably you
will have no control over it.
For more on emails, please see future bulletins. The same
applies for further in formation on DPIAs,
A Potential issue (right to be forgotten and complaints
handling)
One of the areas that I see as being an issue to start with
or at least until we have some case precedent to frame the requirements relates
to dealing with complaints after a client has exercised a right to erasure.
Given that most firms are going to use ‘consent’ as the basis for handling and
processing client data, the data subject will have the right to be forgotten or
to be more precise, the right of erasure.
This raises quite a significant potential problem for firms in the event
of complaint handling. The risk is as follows: -
A past client exercises their right for data subject access
(DSAR) and obtains a copy of all their data. They then exercise their right of
erasure (which must be complied with unless it falls into certain categories
that are unlikely to apply in his scenario). The firm, as long as it complies
with FCA requirements for data handling (technically three years for advised
completed mortgage sales) must comply with the request and arrange for the data
to be deleted. The client then raises a complaint about a past issue from the
information that it holds from the DSAR and presents the complaint to the firm.
The firm now holds no data about the client and therefore is unable to defend
the complaint. Client therefore in a good position to be successful in the
complaint either directly with the firm or when it goes to the Ombudsman.
Watch this space as this issue could run a bit but obviously
an important matter to consider amongst everything else is how your firm will
respond to requests exercising the right to erasure.
Next Steps.
The purpose of these two brief notes on GDPR is to
invigorate the subject now that we are less than five months away. For my
clients I will be following the 12 Step Plan that the ICO have put out a few
months ago and I have today publicised that within the MI System that some of
you are using. Over the coming weeks, I will be issuing documents and
undertaking actions for my clients in order to prepare for GDPR in a timely
manner. There will be a number of significant updates to the MI system
including, of course, a new area for Data Protection to cover the GDPR changes.
Tuesday 2 January 2018
GDPR 2018 Update Part I
THIS IS THE FIRST OF
A TWO PART UPDATE ON GDPR FOR MORTGAGE INTERMEDIARIES. THE SECOND PART WILL BE
ISSUED BEFORE 5th JANUARY
2018.
There is a lot of activity in relation to GDPR in the industry at the moment as well as
almost everywhere else! It is hardly surprising, as the new data protection rules coming in in May 2018
for the European economic Area (EEA) are probably the most far reaching on the
planet. Brexit will have no bearing on
the changes coming in and so the new rules are no doubt here to stay.
So what has to be
done? Below are a few things that we need to do.
Carry out a data mapping exercise.
This is not as heavy as it sounds. Basically, we just need
to establish where you get data from, how you process it and who you pass it to
(and whether any of these locations are outside the EEA). There are a number of
convolutions around this but I will be providing some guidance on this during December,
together with a basic model for a mortgage broker that should fit most firms.
The reason for the data mapping is to carry out an audit on
where personal data goes so that you can identify who and where and then check
that these potential data processors on your behalf are registered and tooled
up to handle data (in terms of competence, security and back up). The model
that I will produce should cover most of the firms or types of firm that you
will be dealing with and if there are
any outside this, then we can discuss separately.
Data mapping also allows us to improve the completeness and
coverage of our Privacy Statement (see below).
Privacy Statement and Consent
GDPR is going to require you so set out and explain to your
clients who is processing their data, how you will process it and for what
purposes, who you will share their data with, their rights and how you will
keep their data safe. This is best done by documenting a Privacy Statement.
This could be a standalone document or it could be incorporated into your
Initial Disclosure Document (IDD). Although you don’t technically have to get
the client to sign your Privacy Statement, you are required to keep a record of
the fact that you have explained the key information required by GDPR and this
is best demonstrated by getting a signature or email confirmation of receipt.
Under the existing rules, your client consents to you
processing their data by the fact that they have contacted you to arrange a
mortgage or insurance for you (and a member of staff, where applicable, by
becoming your employee, Appointed Representatives and Introducers also). Under
the new rules, the consent has to be evidenced. This could be a record that a
conversation has been had and a Privacy Statement issued when combined with
documented procedures that explain how consent is to be obtained and training
for appropriate staff. However, the safest way to evidence consent is by having
a document signed or otherwise uniquely confirmed (e.g an email) by the client.
Such evidence could be a signature on a copy of the Privacy Statement or on a
suitably documented IDD. It could also be a confirmation of some form contained
within an email from the client’s personal email account. It should be noted
that where one client is signing on behalf of a joint application there is a
potential exposure if the other party then claims that there was no permission
to sign on the other persons behalf. Suitable wording for joint applications
could in part address this but it is recommended that where possible, all data
subjects document their consent. As an aside here, there is a potential issue
for adults living in the property to be mortgaged because their data will also
be recorded in your files even to the extent that it is
only name, age and address details. Therefore, where you are processing data
relating to adults who are not party to the mortgage application but are
resident or in any way involved in the transaction (another example would
be dependents or members of the family
in Lifetime Mortgages) you will need to be
able to evidence that they have consented to processing their data in
the same way. Please refer to the section below for further details. Web pages
will also be dealt with below.
I have produced a
sample Privacy Statement and will be
issuing this document shortly. It will also be available
from 1st January in the MI System.
Initial Disclosure Document
Rather than issue two documents to a client, I would suggest
that the existing IDD is expanded to incorporate the Privacy Statement. I
believe that the Data Protection part should be visually separate from the IDD
text but signature of the single
document could be taken for signature of
both parts. Many firms still obtain signatures on the IDD as part of routine
processing and so this will not be a big deal in most cases. I would emphasise
that the date of the signature is also important as this is the date that the
client consented to processing their data. This could mean that it is possible
that you may begin recording client data before they have signed a consent but
that can be delat with by making sure that the client is aware of the matter at
the start of your conversation. The fact of issuing an IDD including the
Privacy Statement within say 5 working days should be adequate to satisfy GDPR as long as some
verbal explanation has been given at the outset.
I have produced a
sample IDD in the form of a Terms of Business Letter as I do not believe the
old IDD format originally put forward by the FCA is appropriate to comply with
the GDPR requirements. Firms currently using the old style IDD should consider
moving over to a Terms of Business in order to streamline their process. ICOBS
allows a terms of business letter for insurances as long as it includes certain
key data and the TOB that I have documented is also designed to comply with the
current insurance disclosure requirements. It will also be available
from 1st January in the MI System.
Appointing a person responsible for Data Protection and
undergoing training within the firm
GDPR requires that each Data Controller which may be an
individual or a firm depending upon corporate status) appoints an individual
with responsibility for Data Protection. That is no particular issue in its own
right but with the new rules on their way some time next year for Senior
Managers and Certification (SM & C), it means that there will need to be a
robust document and that the individual will have been appropriately trained
and competent. For most small firms this will not however be an issue as the
sole Director, proprietor or senior partner will be the named person. Training
can be in any form. This document in its
own right is a training document and, if you use the MI system, will be
recorded in your training log there.
Where there are any other persons in the firm, all of them
will need to be trained in the new rules. Whilst this document deals with much
of the new requirements , a further GDPR Training Session will be issued in the
new year and made available through the MI system for training to other members
of staff. A recommendation would be that all staff, directors and business
partners are trained, including Ars where applicable and their staff. It is
also recommended that any introducers of business are provided with a suitable
update (the Training Document to be provided at a later date, for example).
Subscribe to:
Posts (Atom)