The General Data Protection Regulation (GDPR) aims to modernise the way data is collected and stored, but what do advisers need to do to ensure they are compliant?
Two decades ago, when the 1998 Data Protection Act was drafted, Apple was still mostly known as a fruit and the term 'IP address' would have prompted blank looks all around.
Today, the General Data Protection Regulation (GDPR) aims to bring the way data is collected and stored into the 21st century. The new rules mean consumers will have the right to know much more about how their information is used and stored.
"Data protection law is clearly not new - we have the 1998 Act. But the GDPR and the UK legislation that will follow will extend it and raise the bar in certain respects. It is one of those changes where everyone is going to have to take action," explains Helen Baker, partner at law firm Sackers.
Advisers may be preoccupied with responding to MiFID II, but the deadline for complying with the GDPR - 25 May 2018 - is drawing near and much more needs to be done than many realise.
Controlling the data
All advisers already hold personal data about their clients. But the GDPR imposes stricter rules on how that data is accessed and shared. The regulation splits companies which hold data into two categories: data controllers and data processors.
Controllers are companies that collect personal data, making decisions about what data is held and for whom. They hold ultimate responsibility for the data.
Processors act on behalf of the controller and may decide, for instance, where data is stored, how to transfer data from one company to another, and how to dispose of it. It seems likely many advisers will be data 'controllers', with a stronger obligation to protect the data.
"As a data controller, you have to let individuals know that their data is being processed and why," explains Paul Carney, partner at law firm Shoosmiths.
"You have to inform them of their right to know why you hold certain data and if they really want to, to handle requests to have their data removed entirely or to make a complaint. That is going to increase workloads by a big factor."
Carney adds: "Data consent has to be fully informed - the word that keeps being used is 'granular'. If there are ten reasons you have this data, then each of those reasons has to be made clear to the data subject. The subject has to consent to each of them."
The GDPR compliance process is best broken down into steps: "One of the starting points is to think about the information that you hold," suggests Baker. "It sounds incredibly basic. But if you do not start from this level, it is difficult."
Advisers should review the information they hold, establish why they have it and where it is stored, and who is able to access the data. Are third parties given access to it?
Once these questions are answered, advisers will be in a better position to start making decisions about how they treat the data, says Baker.
A balance needs to be struck between getting rid of old data that is not business critical, while still safeguarding data that might be important in future, she added.
Generally, firms are writing individually to their clients to tell them what information they hold, explaining why and explaining their new rights under the GDPR, says Carney.