As a piece of legislation, the General Data Protection Regulation (GDPR) has not received the level of attention that it probably deserves. However, it has huge implications for the protection industry, arguably more so than any other business sector, not least as sensitive client data is often transferred from one interested party to another.
Whether GDPR goes too far is a mute-point, but few would disagree that data management and the issues caused by its misuse is an increasing problem.
Client data, for example, may first be received by a mortgage broker who will pass the data through their chosen portal. The data is then passed to one or more insurers following which it may move to an outsourced case management service. In addition, it could be passed on to one or more medical advisers to secure further information.
But who is ultimately responsible and the custodian for this data? Is there multiple responsibility? And what processes need to be put in place to ensure compliance - especially as a client may have a primary contact point, but their data may reside in multiple locations.
Before going into some of the extra complications that the protection world faces, it is worthwhile reviewing the universal requirements of the GDPR. GDPR comes into force on the 25th May 2018 and while it is EU legislation, the UK government has said it won’t be affected by Brexit. It is also worth stressing that while much of the GDPR is similar to the UK’s Data Protection regulations, there are some significant additional requirements.
It is also worth noting that failure to comply with GDPR could result in a fine of up to 4% of a company’s turnover or 20 million Euros, whichever is higher. Given that this could be a significant sum, could some claims management lawyers see GDPR as a potential future income stream?
The GDPR covers the rights for any individual that you hold data on, for example current clients, old clients and prospective clients. In brief it covers the right for an individual to access and correct their data; to be informed if an issue arises (such as loss of data); the right to move data from one provider to another; the right to restrict processing (eg no direct marketing); to have their data erased (the right to be forgotten); rights in relation to automated decision making and profiling; and a right to object.
In order to meet these requirements, the broader framework of how businesses manage their data may have to be tightened, depending on your current processes Much of the core requirements already exist within the current Data Protection rules, but are in essence made more comprehensive and stringent.
Governance and accountability
Businesses will continue to be responsible for how they collect, store and use personal data. They will need data protection policies, including documentation on how data is handled and risk assessments. As now, these policies need to be communicated to all staff, including extra training where necessary.
In terms of governance, all regulated entities should already have a person in charge of compliance which includes data protection. This structure doesn’t need to change unless a business doesn’t currently have a Data Protection Officer role, in which case this role needs to be created.
Data breaches and mismanagement
Regulations concerning the mismanagement of data are much more stringent and significantly more comprehensive. Previously, regulations broadly covered data loss only. The GDPR now covers loss, unauthorised disclosure or access to data, and destruction and alteration. It is mandatory to report cases to the Information Commissioner’s Office (ICO) where a breach is likely to “result in a risk for the rights and freedoms of individuals”.
For protection cases, it is fair to assume that all breaches are likely to need reporting given the sensitive nature of the data, plus the reputational damage that could follow if any breach is subsequently highlighted on social media. Reporting needs to occur within 72 hours of becoming aware of a breach. Business also need to notify all those affected “without undue delay”.
Businesses should have a contingency plan in place for a possible data breach and continuously review procedures in order to address a possible breach.
The requirements for consent are now “clear and distinguishable from other matters and provided in an intelligible and easily accessible form” and will be ‘opt-in’ rather than ‘opt-out’. The ICO provides examples of appropriate ways to gain explicit consent in its GDPR consent guidance consultation.
Consent could prove to be a thorny issue within financial services, especially the protection industry and some degree of future proofing will be in order, especially with regards to emerging technologies such as robo-advice or any automation of client reviews including future needs assessments.
For standard new business, little will need to change other than possibly some tweaks to documentation to ensure that GDPR consent is separate from standard contractual consents.
However, if you want to use data in any other way, you will need to cover all options such as future client reviews that involve automated processing especially if that includes some element of specific product illustration. Other issues such as direct marketing will plainly need to be addressed. However, explicit consent or client opt in may not be required if there is a legal requirement or lawful basis to hold or process the data.
Data, integration and data cleansing
Many businesses currently have client data that spans their financial offerings, i.e. mortgage, financial planning, GI or protection. Under the GDPR all these areas will need to be able to make universal and simultaneous changes to their data, irrespective of the fact that the business may be structured into separate operating units.
Businesses will need to document what personal data they hold including the source of any data, who has access to it, and where it has been shared. This could include any third party that has direct mailed your client list, or even your marketing or research agency that may have carried out work on your behalf.
Data cleansing is something that some firms may want to look at ahead of the May 2018 deadline as ‘old’ data is most likely to be an area where any errors may occur.
The legal basis for processing personal data
Under the GDPR businesses need to demonstrate the legal basis for data processing. For financial services providers this is a simple task and will be based on client consent and regulatory obligations.
But this legal basis will only automatically cover current business in hand – for example it won’t cover cross selling unless this forms part of the common advice process.
The rights to access data
Businesses will, in most cases, no longer be able to charge anyone to access their data. Further, the time limit for a response to a client request is one month, as opposed to 40 days. Clients’ must also be given data retention periods as well as the right to have inaccurate data corrected. In order that a businesses’ data can be used by other organisations, it should be provided in a structured, commonly used and machine-readable form.
Businesses will also need to inform clients of their right to withdraw consent at any time and how that can be achieved. The withdrawal process must be simple, and appropriate mechanisms must be in place to effect withdrawals of consent.
Once GDPR is introduced a business will only be able to rely on consent gained under current requirements if it can demonstrate that the consent meets the GDPR standards, otherwise fresh consent will need to be obtained.
The GDPR covers a range of issues that could apply to some firms, such as the needs of international clients or clients that handle information on children such as CI policies.
One potentially challenging aspect of the GDPR is the right individuals have to have their data erased, as there could be a conflict of interest here between a customer’s right to have all data deleted, and an adviser’s requirement to keep a copy of evidence that could be used in the future if and when a claim is made. This highlights a potentially tricky line businesses may have to tread as they reconcile obligations under GDPR with contractual obligations elsewhere. More clarity is likely to be required on issues such as these.
Biggest change in 30 years
Considered by many to be the biggest overhaul of data protection regulations in thirty years. there’s no denying that the implementation of GDPR will be a challenge. But with fines up to 20 million euros for breaches of the regulations, adequate preparation is key.
As the Information Commissioner Christopher Graham noted, “people have never been so aware of what their personal data is, and never cared so much about how it is used.” Now, with the introduction of GDPR directors will have “20 million reasons to start listening.”
[Sponsored article by LifeQuote]