GDPR – new data protection rules

The EU’s General Data Protection Regulation (GDPR) results from work done by the EU over a number of years with the intention of ensuring that data protection legislation is effective in the light of new ways that data is now used – think Google and Facebook, the personal data they hold about millions of people and then wonder what they do with that information now … or might do in the future.

The current data protection rules in the UK derive from the Data Protection Act 1998 (DPA) but these rules will be superseded by the new legislation, giving people more say over what companies can do with their data. There will be tougher fines for non-compliance and breaches and the rules will still be enforced by the Information Commissioner’s Office (ICO). See here for ICO guidance on GDPR. The new rules will make data protection rules more or less the same throughout the EU. The rules are already in place (since 24 May 2016) but will not actually apply to firms until 25 May 2018.

So why think about the GDPR now?

In one of our recent MiFID II articles on disclosure requirements, we highlighted the likelihood that most firms will need to review and make amendments to their disclosure documents, in order to comply wth updated MiFID II requirements. We also mentioned, in passing, that changes will also be needed to comply with the new data protection rules that take effect on 25 May 2018. While these are not strictly MiFID II related, we reckon that, as firms are likely to be reviewing/amending current disclosure documents to reflect MiFID II requirements, it would be sensible to consider making the amendments for GDPR at the same time rather than having two changes to disclosure within a few months of each other.

One very obvious change under the GDPR is that client consent to gathering and processing data should be separate from any other consent so the easy win for firms is to remove whatever DPA text and consent currently sits in the initial disclosure documents and place it instead in a separate ‘GDPR’ document. This easy move will not necessarily take care of every GDPR issue as the wording currently used may well require amendment in many firms. See below for further guidance but one point worth making right up front is that client consent should be on an ‘opt-in’ basis. Many firms have opt-out consent (tick this box if you DON’T want to be bombarded by our special offers twice every day and three times on a Saturday!) despite the fact that the DPA has always required opt-in consent.

What should a GDPR consent look like?

Firms should provide a full privacy notice whenever they are gathering personal details from individuals. On the assumption that these personal details are coming directly from the person concerned a privacy notice should cover the following points: 

  • Name and contact details of the data controller (the firm);
  • Reason for processing and the legal condition to processing;
  • Legitimate interests of the controller (if applicable);
  • Any other party or categories of third parties that the data will be disclosed/shared with;
  • Details of transfers to third countries and safeguards (where transfers are concerned consent will be required);
  • Retention period or criteria for determining retention period;*
  • If providing the information is a statutory obligation, what the consequences are of not providing it;
  • If automated decisions are made, including profiling, how those decisions are made, consequences and significance of those decisions;
  • What the data subject’s rights are;
    • The right to withdraw consent;
    • The right to lodge a complaint to the ICO;
    • The right to obtain details of personal information held by the firm.

* In the case of FCA regulated firms, there is no single retention period and so it would make sense to keep this bit generic along the lines of “Your information will be retained for no longer than necessary to provide our services to you and as required by legislation.”


Important Note: ATEB news is intended to provide general information ONLY. The content, including any views expressed or guidance provided, does not replace the need to comply fully with FCA Rules and Guidance. Unless you have discussed news article content with ATEB, and specifically how it relates to your circumstances, then ATEB disclaims all liability and responsibility and actions arising from any reliance placed upon it. For the avoidance of doubt therefore, any reliance you place on such information without our consultation is at your own risk.

ATEB Compliance offers compliance and regulatory advice.

ATEB Suitability provides report writing software for the financial services market.

Our View

Firms have a full to do list just getting ready for MiFID II but it makes sense to deal with the GDPR aspects at the same time as disclosure documents are being reviewed anyway. 

Action Required By You

  • Review your disclosure documents for MiFID II compliance;
  • At the very least, extract the current DPA wording and consent to a separate document;
  • Ensure awareness of GDPR requirements;
  • Amend the separate DPA document before 25 May 2018 to fully reflect GDPR rules, if not done now.
SUIT - Beautiful Reports
SUIT - Complete Control
SUIT - Comp confidence
previous arrow
next arrow

About the Author

Technical Manager - Often referred to as the Oracle or the Sage, Alistair has a wealth of financial services experience. He is our go-to Technical Manager and enjoys nothing more than a complicated conundrum. Feel free to test his renowned knowledge by getting in touch.

Contact Us

Brought to you by

Explore more articles in this category

Other articles that you might be interested in