A guide to GDPR in the specialist finance market

The implementation of the General Data Protection Regulation (GDPR) is creating challenges which require action from everyone in financial services.

GDPR will apply in the UK from 25th May 2018 and despite it being introduced by the European Union, the UK government has confirmed that Brexit will not affect its commencement.

What is it? 

According to PwC, the GDPR is the largest change to data protection legislation in the last 20 years and regulators will have unprecedented power to impose fines.

The GDPR will replace the Data Protection Directive 95/46/EC in 2018 and the principles are similar to those in the Data Protection Act 1998 (DPA), with added detail at certain points and new accountability requirements. 

The GDPR requires businesses to show how they comply with the principles, for example, documenting the decisions taken about a processing activity. 

Article 5 of the GDPR requires that personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to individuals

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed

(d) accurate and – where necessary – kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Article 5(2) requires that: “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”

Who does GDPR apply to? 

The GDPR applies to ‘controllers’ and ‘processors’.

The controller says how and why personal data is processed and the processor acts on the controller’s behalf, with those currently subject to DPA likely to be subject to the GDPR.

The GDPR applies to both personal and sensitive personal data, while data relating to criminal convictions and offences are not included, but extra safeguards apply to its processing. 

How are financial firms impacted?

According to PwC, the GDPR changes will require widespread privacy changes across every financial organisation as individuals are put back in control of how businesses use their data. 

However, PwC believes the changes create a major opportunity for financial firms to:

transform their approach to privacy
harness the value of their data
ensure their organisation is fit for the digital economy.

How can I find out more? 

PwC and the Information Commissioner’s Office have both produced guides to help businesses and individuals understand the changes the GDPR will bring. 

Meanwhile, specialist finance businesses and individuals will have the opportunity to understand more about the GDPR at the Finance Professional Show.

The FP Show 2017 – which takes place at Olympia in London on 8th November – will feature a speech by Robert Lands, partner at London-based law firm Howard Kennedy, where he will explain the impact of the GDPR.

The speech will also explain how the specialist finance industry can prepare itself for when the GDPR replaces the Data Protection Directive 95/46/EC in 2018. 

Leave a comment