The General Data Protection Regulation – or GDPR as it is more familiarly referred to, took effect in May 2018. Two years on, we thought it would be useful to do a quick review.
The intention of the legislation was to protect data and privacy in the European Union and the European Economic Area. It also addressed the transfer of personal data outside the EU and EEA areas. As the UK was, at the time, a member of the EU, we were obliged to give effect to the regulation. This was done in the form of the Data Protection Act 2018 (DPA 2018).
The DPA 2018 replaced the Data Protection Act 1998. The new rules largely mirror the DPA 1998 but go further in some important respects, primarily around consent, marketing restrictions and penalties for failing to follow the rules.
- Obtaining valid consent is more stringent;
- There are additional restrictions on marketing activities;
- There are significant penalties for data protection breaches. There are two tiers of penalty – standard and higher. Standard fines apply to less serious breaches such as administrative errors and can be up to €10m (or equivalent in sterling) or 2% of a firm’s annual worldwide turnover, whichever is higher. Higher fines apply to breaches of data protection principles or in relation to transfers of data to third countries (i.e. outside the EU/EEA) and can be up to €20m (or equivalent in sterling) or 4% of a firm’s annual worldwide turnover, whichever is higher.
The Information Commissioner’s Office (ICO) continues to be the organisation responsible for oversight and enforcement of the DPA 2018.
Any organisation or individual that processes personal information needs to register with the ICO (unless an exemption applies).
‘Personal information’ means any detail about a LIVING* individual that can be used on its own, or with other data, to identify them. ‘Processing’ includes any of the following:
- obtaining it;
- recording it;
- storing it;
- updating it; and
- sharing it.
The ICO website provides a wealth of guidance with examples and should be the first port of call in the event of a query.
* That data protection only applies to living individuals is the general position. There are some special post mortem protections that apply to the recently deceased, for example in relation to obtaining health records, but ALL protections cease two years after the date of death.
A fundamental element of the rules is that there must be a lawful basis for processing personal data. It is likely that, prior to the DPA 2018, most financial firms relied on ‘Consent’ as the lawful basis. However, there are actually six lawful bases for processing data. Consent continues to be one of those, but another, ‘Contract’, is widely considered to be a more appropriate lawful basis for many adviser firms for a variety of reasons that we will not go into here. A couple of the other lawful bases might be valid in certain circumstances but should not be used as a matter of course, for example, ‘Legitimate interests’, and firms’ privacy notices should be absolutely clear about which lawful basis is being relied upon.
The Contract basis applies where processing of personal data is required in order to supply goods or services the individual has requested, or to fulfil obligations under an employment contract. This also includes steps taken at the request of an individual before entering into a contract. No client signature is required.
Firms that choose to rely on Consent must ensure that it is ‘valid’. The conditions required to obtain valid consent are more onerous post GDPR. Full details can be found on the ICO website but include that consent must:
- be clear about what is being consented to;
- be freely given;
- not be a pre-condition of providing a service;
- be an affirmative opt-in choice;
- be separate from any other client authorisation, e.g. a client agreement;
- be refreshed if any aspect for which consent is given changes.
Consent can be withdrawn at any time. And it must be ‘refreshed’ regularly. The DPA 2018 is silent on how frequently consent should be refreshed, but the ICO recommends every two years unless there is a robust reason for a less frequent refresh.
That means all clients as at May 2018 whose GDPR consent was obtained at that time, will require that consent to be refreshed soon.
It also means that firms must keep good records covering:
- Who consented;
- When they consented;
- What they were told at the time;
- How they consented, and to what;
- Whether they have withdrawn consent: and if so, when.
Refer to the ICO website for further detail.
Special category data
This refers to information that requires additional protection and which, as a result, are subject to additional safeguards. Such information relates to any of the following:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership;
- genetic data;
- biometric data;
- sex life; and
- sexual orientation.
The rules around processing of any of these data are quite involved but the key point for adviser firms is that consent is always required where such information is being processed. Health information is the one that is most likely to apply in the advice process, but it is possible to use consent for special category data alongside the contract basis only on those occasions where consent is required. For example, if the advice being provided relates solely to say, an ISA investment, it is unlikely that health information will be required.
Note that separate rules apply to personal data about criminal allegations, proceedings or convictions.
Issues with DPA 2018
Below are some of the issues we have come across in the past two years.
- Data Protection wordings not updated/removed in some documents, usually a fact find or on the firm’s website;
- In any case, Data Protection documentation and any consent should be a separate standalone document – some firms still have this as part of a, usually lengthy, disclosure document – the disclosure documents can refer to the separate privacy document but should not incorporate it;
- Data Protection information not provided early enough and lawful basis not established early enough. As indicated earlier, obtaining personal information is one element of processing data and the formalities must be done before any personal information is obtained;
- Additional rules apply when processing data relating to children – firms are often not aware of the requirements or do not implement them – refer to the ICO website for detailed guidance;
- Firms using consent as the lawful basis do not always maintain the required records – see above;
- Marketing consent not compliant – see below.
Many firms include a Marketing section in their data protection documents. Many fail to do so compliantly!
There appears to be a widespread misunderstanding about marketing and the GDPR. While the GDPR/DPA 2018 governs the data firms use for email marketing, the required permission to send email marketing is defined by the Privacy and Electronic Communications Regulations (PECR). ePrivacy is a European directive. PECR is the UK-interpretation of ePrivacy. The ICO has published guidance on PECR.
PECR restrict unsolicited marketing by phone, fax, email, text, or other electronic message. There are different rules for different types of communication. The rules are generally stricter for marketing to individuals than for marketing to companies.
PECR does not apply to ‘Direct Marketing’ which is marketing done by post although it is worth remembering that firms doing Direct Marketing need to ‘clean’ mailing lists to ensure that individuals who have registered with the mail preference service are not sent mailings. A similar service also exists in relation to telephone calls.
In our experience, many firms include marketing consent in their current documentation for no better reason than it was in their pre-GDPR documentation. Further, most of these firms have never actually done any electronic marketing that would require such consent – and have no intention of doing so. The first thing firms should consider is whether marketing is actually a key part of the business model. If not, then firms should remove the marketing consent text from their documents.
Firms that genuinely want to do electronic marketing can only do so on one of two bases:
- With consent;
- To existing customers or those in negotiation for a sale or service.
Marketing consent must meet all the standards for consent under DPA1018 listed above. In addition, it must be sufficiently granular to clearly identify what type is being consented to, including how sent, how often and about what. And firms need to maintain comprehensive records covering the sign up forms and wordings, and when, where and how consent was obtained.
PECR also allows email marketing, in certain circumstances, to existing customers and those in negotiations for a sale or service. Those circumstances are:
- where the email address was provided during the sale or negotiation process;
- where an option to opt-out was provided;
- where the marketing is limited to goods and services relating to the purchases or customer relationship; and
- where the customer is given an option to opt-out in each message.
This situation is sometimes referred to as a “soft opt-in” and means, for example, that firms do not need to worry about marketing consent in order to email newsletters to existing clients, communicate with existing clients about their annual review or that they can contribute to an ISA or pension, provided that the above conditions are met and that the subject of the communication is similar to what has been provided to the client before. It does not permit firms to email clients about an entirely new product or service that has never been in scope previously.
The above comments relate to marketing by the firm. Marketing by a third party is an entirely different matter and requires more consideration that we can briefly cover here.
As indicated, the DPA 2018 arose out of GDPR, an EU regulation. We are out of the EU as of January 2020 but still complying with EU regulations until the current transition period ends. That is scheduled for the end of 2020, although there remains a possibility that will be extended.
The DPA 2018 will remain after transition but how it will relate to the GDPR as legislated by other EU/EEA jurisdictions will depend upon the outcome of transition negotiations. Data protection within the UK and NI is likely to be unchanged but transfer of data to or from outside the UK, even with EU/EEA countries might well be subject to a new regime.