GDPR – one year on

GDPR, in the form of the Data Protection Act 2018, has been in place in the UK since 25 May 2018.

Now, one year on, we thought it would be useful to have a look at how well it has been implemented in firms and share with you the issues we see.

GDPR – a quick refresher
Businesses that obtain or process personal data about a living individual must establish a ‘lawful basis’ for doing so.

There are six possible lawful bases, but the two that are most likely to be applicable in financial services are ‘Consent’ and ‘Contract’.

Consent
Consent was almost universally the basis that adviser firms used prior to DPA 2018 but it is generally not now considered to be the most appropriate for our industry for the following reasons.

  • Consent must be clearly ‘freely given’;
  • If you cannot offer a genuine choice over how you use their data, consent is not appropriate;
  • If you would still process the personal data without consent, asking for consent is misleading and inherently unfair;
  • If you make ‘consent’ a precondition of a service, consent is unlikely to be the most appropriate lawful basis.

The last point is relevant, as it is not possible for adviser firms to provide their services unless they can process personal data. In addition, consent must be renewed regularly (every two years or so is generally considered reasonable) and can be removed by the individual.

Issue number one:
Many firms have continued by default on a consent basis but do not necessarily appreciate all the implications above, especially the need for consent to be renewed.

Contract
We recommend the contract lawful basis as being the optimum basis for most firms. For this purpose, a contract with the individual exists if:

  • you have a contract with the individual and you need to process their personal data to comply with your obligations under the contract;
  • you haven’t yet got a contract with the individual, but they have asked you to do something as a first step and you need to process their personal data to do what they ask.

Whichever basis is used, the firm’s privacy notice (and consent if applicable) should be kept separate from any other agreement or authorisation that the firm presents to the client – e.g. the client agreement.

Issue number two:
Many firms have incorporated their Privacy Notice and/or Consent into their existing Terms of Business or Client Agreement. These should be kept separate.

Issue number three:
Many firms have created a separate document but have not deleted the DPA 1998 references in other documents (usually the ToB, Client Agreement or Fact Find).

Issue number four:
Marketing consent – many firms still have longstanding wording seeking permission for the firm or third party firms to send the client marketing material. The wording is normally still within the Terms of Business or Client Agreement and should not be. Most firms that request marketing consent never actually use it. If firms really do wish to use data for marketing purposes they need to research the matter in great detail as there are additional onerous rules around marketing consent under GDPR/DPA 2018 but also implications arising from the Privacy and Electronic Communications Regulations (PECR), not least that consent needs to be specific, detailed and granular – it is not sufficient to offer one tick box for the client to consent to any marketing, at any time, from anyone.

Issue number five:
Privacy notices should inform clients of their rights under the DPA 2018. One of these is the ‘Right to object to processing’. Where a firm is relying on consent or contract as lawful basis, the right to object only applies to processing for marketing purposes.

Passing data to third parties
Firms inevitably have to pass client data to third parties, for example providers or compliance consultants! The rules require that the third party is specified.  

Issue number six:
We see firms providing a generic list of possible third parties such as ‘providers, compliance consultants, etc.’ This is not sufficient. Third parties must be specifically identified.

Issue number seven:
Finally, we regularly see cases where an existing client has not been provided with an up to date Privacy Notice although meetings have taken place and/or advice has been provided since 25 May 2018.

Important Note: ATEB news is intended to provide general information ONLY. The content, including any views expressed or guidance provided, does not replace the need to comply fully with FCA Rules and Guidance. Unless you have discussed news article content with ATEB, and specifically how it relates to your circumstances, then ATEB disclaims all liability and responsibility and actions arising from any reliance placed upon it. For the avoidance of doubt therefore, any reliance you place on such information without our consultation is at your own risk.

ATEB Compliance offers compliance and regulatory advice.

ATEB Suitability provides report writing software for the financial services market.

Our View

RDR – several years on. MiFIDII – 18 months on. GDPR – one year on. What do these have in common?

The fact that many firms have not fully or correctly incorporated the requirements into their processes despite those requirements having been in place for some time.

Getting GDPR requirements wrong can have significant repercussions. One year on, it would be prudent to review your processes to ensure they fully comply.

Action Required By You

  • Review your data protection processes against the issues we mention here;
  • Contact your usual ATEB Consultant for more information or contact ATEB directly.

About the Author

Technical Manager - Often referred to as the Oracle or the Sage, Alistair has a wealth of financial services experience. He is our go-to Technical Manager and enjoys nothing more than a complicated conundrum. Feel free to test his renowned knowledge by getting in touch.

Contact Us

Explore more articles in this category

Other articles that you might be interested in