The EU’s General Data Protection Regulation (GDPR) results from work done by the EU over a number of years with the intention of ensuring that data protection legislation is effective in the light of new ways that data is now used – think Google and Facebook, the personal data they hold about millions of people and then wonder what they do with that information now … or might do in the future.
The current data protection rules in the UK derive from the Data Protection Act 1998 (DPA) but these rules will be superseded by the new legislation, giving people more say over what companies can do with their data. There will be tougher fines for non-compliance and breaches and the rules will still be enforced by the Information Commissioner’s Office (ICO). See here for ICO guidance on GDPR. The new rules will make data protection rules more or less the same throughout the EU. The rules are already in place (since 24 May 2016) but will not actually apply to firms until 25 May 2018.
So why think about the GDPR now?
In one of our recent MiFID II articles on disclosure requirements, we highlighted the likelihood that most firms will need to review and make amendments to their disclosure documents, in order to comply wth updated MiFID II requirements. We also mentioned, in passing, that changes will also be needed to comply with the new data protection rules that take effect on 25 May 2018. While these are not strictly MiFID II related, we reckon that, as firms are likely to be reviewing/amending current disclosure documents to reflect MiFID II requirements, it would be sensible to consider making the amendments for GDPR at the same time rather than having two changes to disclosure within a few months of each other.
One very obvious change under the GDPR is that client consent to gathering and processing data should be separate from any other consent so the easy win for firms is to remove whatever DPA text and consent currently sits in the initial disclosure documents and place it instead in a separate ‘GDPR’ document. This easy move will not necessarily take care of every GDPR issue as the wording currently used may well require amendment in many firms. See below for further guidance but one point worth making right up front is that client consent should be on an ‘opt-in’ basis. Many firms have opt-out consent (tick this box if you DON’T want to be bombarded by our special offers twice every day and three times on a Saturday!) despite the fact that the DPA has always required opt-in consent.
What should a GDPR consent look like?
Firms should provide a full privacy notice whenever they are gathering personal details from individuals. On the assumption that these personal details are coming directly from the person concerned a privacy notice should cover the following points:
- Name and contact details of the data controller (the firm);
- Reason for processing and the legal condition to processing;
- Legitimate interests of the controller (if applicable);
- Any other party or categories of third parties that the data will be disclosed/shared with;
- Details of transfers to third countries and safeguards (where transfers are concerned consent will be required);
- Retention period or criteria for determining retention period;*
- If providing the information is a statutory obligation, what the consequences are of not providing it;
- If automated decisions are made, including profiling, how those decisions are made, consequences and significance of those decisions;
- What the data subject’s rights are;
- The right to withdraw consent;
- The right to lodge a complaint to the ICO;
- The right to obtain details of personal information held by the firm.
* In the case of FCA regulated firms, there is no single retention period and so it would make sense to keep this bit generic along the lines of “Your information will be retained for no longer than necessary to provide our services to you and as required by legislation.”