This is the second of two updates on GDPR primarily aimed at
firms regulated by the Financial Conduct Authority but in the main it is
applicable to most firms. The updates are intended to give you an oversight into
some of the actions required of you now and what will be required of you later
in the year. May is only a short time away. If you missed the first update you
can find it here.
Having read these two updates, you may begin to come to the
conclusion that GDPR is a big thing. It is without a shadow of a doubt but with
appropriate action in good time, there
should be no problem in delivering a
compliant approach in small firms despite the scaremongering that is flying
about at the moment.
Verbal Disclosure at the outset on the Telephone
You will be expected to tell anyone whose data that you will
be handling a number of things relating to what you intend to use the data for,
who it might be shared with, the data subjects rights in respect of their data,
how long you plan to keep it for. The list is not exhaustive here and will be
summarised in a future update. You will also need to keep a record of when you
gave this information to the data subject. Before proceeding to explain this,
it is worth noting that this does not mean expressly that firms will need to
record telephone calls as has been suggested in a number of ‘updates’ that I
have seen.
There area number of elements to demonstrate that appropriate
disclosure has been made. The first of these is a record that the person communicating
the information to the data subject has been trained accordingly in the new
requirements. This means that their training log should reflect this where
there is a training log (as good as mandatory in the Financial Services
industry). There should also be an approved document that is to be used to
communicate with the data subject. This is likely to be the firm’s privacy
statement (PS) together with a script, if appropriate, to aid in the delivery
of the PS. The PS is a controlled document and should be included somewhere
formal in the firm’s systems of control. Although it is not technically a
financial promotion, the most obvious place to keep it under control is in the
Financial Promotions Register.
Financial Services firms have obligations in terms of
initial disclosures under the FCA Conduct of Business rules and, so it makes
absolute sense to ensure that these disclosures are married to the PS and
delivered at the outset. Firms using a Terms of Business Letter (TOB) as an
initial disclosure document (IDD) could expand the content to include the PS
without too much angst and could extend their initial conversations to include
their obligations under GDPR. Firms that continue to use the old style IDD
originally put forward by the FSA and now pretty much obsolete in its current
form, should consider transferring to a TOB prior to May 2018.
It should be noted that GDPR avoids the term express consent
but does make it clear that there is a requirement to demonstrate that the
client has been adequately informed and that they have given their consent to
the use of their data. It would be advisable to get confirmation from the data
subject either by way of signature, email or some other unique identifier
before processing their data.
Where collection of data is going to undertaken by
telephone, then there needs to be documented procedure, evidence of training
and a suitable script to ensure that disclosure requirements are delivered
before the firm starts to collect and process data. It goes without saying that
the collection and handling of data only starts once you start to document or
record data in your firm’s systems.
New rights for Data Subjects
GDPR provides a number of rights for individuals, some of
which exist under current regulations (but are enhanced) and others that are
entirely new. The following is a list of the rights: -
·
The right to be informed
·
The right of access
·
The right to rectification
·
The right to erase
·
The right to restrict processing
·
The right to data portability
·
The right to object
·
Rights in relation to automated decision making and
profiling.
I am not
proposing to go into detail on each of these rights in this document other than
to say that some of these are new and are potentially problematic, especially
the right to erase. These rights must be made clear to the data subject (client,
AR, introducer and so on) before you start to process their data under GDPR.
Consent for Guarantors and persons incidental to the
client’s data processing
There are a number of different areas for firms to identify
as a lawful basis for handling data. These may vary firm to firm and can vary
within different data subject groups within the firm. One of the purposes of carrying out a data
mapping exercise is to establish the correct legal base of legal processing.
For most intermediary firms, it is likely that you will use
‘Consent’ as the lawful basis for processing data for your clients in
almost all cases and this means that in addition to obtaining consent from your
clients, you will need to obtain consent from any other person involved in the transaction.
This may include guarantors, adults over the age of 17 living in the property,
children – a particular area where care must be taken. Data is data and, so it
matters not whether the client is the data subject or the guarantor or whoever
is the data subject, GDPR applies the same in all cases.
A final point here is that the lawful basis for processing
may differ for employees and for introducers of business. Whichever option you
go for, your privacy notice will need to explain this.
Agreements with third parties e.g. AR agreements and
Introducer, Employment Contracts
Within the agreements that you hold with third parties where
these are individual data subjects, you will need to ensure that you have
obtained consent to handle and process their data. This includes Appointed
representatives and their staff if applicable, introducers & locums. The
same will apply to employment contracts. You will need to review existing
documents to ensure that these will satisfy GDPR – they probably will not.
Equally, you will want agreements with third party suppliers
to satisfy the requirements of GDPR in relation to any data that you might pass
on to them either for yourself, your employees and ARs, introducers, clients
etc.
Web Pages
GDPR has come in in part to deal with the issues of the
digital age and therefore web, internet and other ethereal activity will have
to be looked at very carefully. Because this is such a big subject, it is going
to be dealt with in its own bulletin at a later stage.
There is a lot of scaremongering in the press about the use
of emails after GDPR. I have not yet completed my research on this but I would
offer the following observations at the present time.
It is down to each firm to undertake its own Data Protection
Impact Assessment (DPIA) on the issue of email communication and to establish
whether this poses an undue risk in transmitting client data. The outcome of
such an assessment might be that unencrypted emails are not safe for the firm to
use with client data. However, firms can exercise no impact on the clients view
of the world and if they choose to send on unencrypted emails then arguably you
will have no control over it.
For more on emails, please see future bulletins. The same
applies for further in formation on DPIAs,
A Potential issue (right to be forgotten and complaints
handling)
One of the areas that I see as being an issue to start with
or at least until we have some case precedent to frame the requirements relates
to dealing with complaints after a client has exercised a right to erasure.
Given that most firms are going to use ‘consent’ as the basis for handling and
processing client data, the data subject will have the right to be forgotten or
to be more precise, the right of erasure.
This raises quite a significant potential problem for firms in the event
of complaint handling. The risk is as follows: -
A past client exercises their right for data subject access
(DSAR) and obtains a copy of all their data. They then exercise their right of
erasure (which must be complied with unless it falls into certain categories
that are unlikely to apply in his scenario). The firm, as long as it complies
with FCA requirements for data handling (technically three years for advised
completed mortgage sales) must comply with the request and arrange for the data
to be deleted. The client then raises a complaint about a past issue from the
information that it holds from the DSAR and presents the complaint to the firm.
The firm now holds no data about the client and therefore is unable to defend
the complaint. Client therefore in a good position to be successful in the
complaint either directly with the firm or when it goes to the Ombudsman.
Watch this space as this issue could run a bit but obviously
an important matter to consider amongst everything else is how your firm will
respond to requests exercising the right to erasure.
Next Steps.
The purpose of these two brief notes on GDPR is to
invigorate the subject now that we are less than five months away. For my
clients I will be following the 12 Step Plan that the ICO have put out a few
months ago and I have today publicised that within the MI System that some of
you are using. Over the coming weeks, I will be issuing documents and
undertaking actions for my clients in order to prepare for GDPR in a timely
manner. There will be a number of significant updates to the MI system
including, of course, a new area for Data Protection to cover the GDPR changes.
