There is less than a year to go until a new European rule book on data protection comes into force. What advisers need to know is it will have a direct impact on how they run their businesses and is by all accounts more onerous than previous regulations in this area, with steep penalties for errors.
The European General Data Protection Regulation (GDPR) comes into force on 25 May 2018, repealing the existing UK Data Protection Act (DPA). Brexit is not set to halt this process.
Top of the list of things to know is the new rules come with an obligation to notify the ‘relevant supervisory body’ within 72 hours of a notifiable data breach being detected.
What does that mean? ‘Notifiable’ refers to the loss of any data that could jeopardise the rights and freedoms of individuals.
Data losses that could expose individuals to identity theft would need to be reported, but the loss of a list of staff telephone numbers most likely would not. Should the breach pose a high risk, the onus is on firms to notify the affected individuals directly.
Giulia Lupato (pictured), senior policy adviser for the newly formed Personal Investment Management & Financial Advice Association (Pimfa, created by the merger of the Association of Professional Financial Advisers and Wealth Management Association), has been leading policy work around GDPR.
‘The best thing firms can do is have a strong process in place, so they can point to an audit trail and prove when and how the breach was detected,’ she said.
‘If a software update is available, implement it. It’s a matter of showing you have done everything in your power to protect customer data.’
The new regulation promises harsher punishments for those falling foul, with fines of up to £20 million, or 4% of turnover.
Rob Reid (pictured below), chief operating officer of cybersecurity firm StayPrivate, flagged up the issue of open external emails. ‘The main point of GDPR is there is now a framework to fine people for not looking after their data,’ he said. ‘They are hoping the prospect of financial penalties will ensure firms are more diligent.
‘Firms need to be looking at how they look after data internally and externally. Many firms have measures in place to protect personal data within the corporate firewall but do not necessarily have secure enough systems to shore up external communications.’
With consultations ongoing, Pimfa has been lobbying for a proportional approach for smaller IFAs when it comes to financial penalties.
‘We take the position that proportionality should apply, because if you are a small firm it would be disproportionate to be subject to a fine that could put you out of business,’ said Lupato.
Technology neutrality (service providers showing no preference to one type of technology) is one of the key tenets of the European regulatory framework regarding electronic communications, and the new rules will apply to hard copies.
‘The equivalent of a well-constructed IT system would be a strong safe with a key or complex code,’ said Lupato. ‘Hard copies of files should be demonstrably kept in as secure a location as possible.’
Lupato used an example at an IFA firm. ‘If you visit three clients and can’t go back to the office in between, you will need to keep [the files] out of view in the boot and in a case that is securely locked, so even if it was stolen, access would be difficult to obtain,’ she said. ‘There needs to be evidence that you have taken all necessary measures to protect that data.’
For IFAs seeking a straightforward breakdown of what they need to do, the Information Commissioner’s Office (ICO) website provides a 12-step preparation guide (which you can read here). Pimfa is seeking clarity on which aspects of GDPR will fall under the jurisdiction of the Financial Conduct Authority as opposed to the ICO.
Its consultation responses will be publicly available when the new Pimfa website is up and running.