Big data and financial regulation share two striking resemblances: both are overwhelming and largely impenetrable to the uninitiated. Although combining the two is pursued with noble intentions by regulators, the result is a concoction of stress, confusion and frustration for most firms. This combination, however, is of paramount importance for firms’ and clients’ concerns about data security. On 27 April 2016, the final text of the General Data Protection Regulation (GDPR) was released to be implemented throughout the European Union from 25 May 2018. This regulation will primarily apply to controllers and processors of data and will replace the Data Protection Act 1998 (DPA) in the UK. To minimise the stress for firms, this article outlines some of the key differences between the current DPA legislation and the GDPR and will emphasise what controllers and processors of data can do to adapt their practice to comply with the GDPR, and will also look at the crossover between MiFID II and GDPR for financial service providers.
Brexit has led to uncertainty as to whether the GDPR will apply after the UK leaves the EU. Presently, it is difficult to predict how the UK’s data protection legislation will change after it leaves the EU. But this regulation will be law from 25 May 2018 and there will be an interim, albeit short, period where the UK will still be a part of the EU and therefore its firms must still be fully compliant with the GDPR. Consequently, it is essential for firms to fully anticipate and adapt in advance of the GDPR, as the penalties for not complying will be fines of up to 4% of annual turnover or 20 million euros for both controllers and processors. To help firms avoid these hefty fines, this article will now focus on the following sections of the GDPR: crossover between MiFID II and GDPR, consent, privacy and rights belonging to the data subject.
Crossover between MiFID II and GDPR
MiFID II introduces a requirement whereby firms that provide financial services linked to financial instruments must record and store all communications that lead to a transaction for up to five years. On the other hand, GDPR states that personal data should not be kept for longer than necessary and that any recordings must be specific to the transaction, which means that recording personal calls would not comply with GDPR.
To adapt to these measures, two approaches can be taken by firms offering financial services. The first is to use a cloud-based service that records conversations in transit and provides a secure infrastructure for a firm. The second is for a client to provide a personal number and a separate business number so that only the latter is recorded for business-related activity. Given that people are increasingly reliant upon mobile phones, iOS and Android phones already have the infrastructure to split business and personal communications.
Firms need to review how they are seeking, obtaining and recording consent. Consent must be given freely in a specific, informed and unambiguous manner. Consent must also be positively given and cannot be inferred from silence. The regulation gives the following examples: “ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data”. In addition, when considering whether consent was given freely, the GDPR might consider whether the contract is contingent upon the client giving consent to processing data that is superfluous to the performance of the contract. The client also has the right to withdraw consent at any time.
There are some uncertainties to this part of the GDPR. For special categories of data, “explicit consent” will be required, but the regulation does not give a clear definition of ‘explicit consent’. Special categories of data will include personal information about a client, such as ethnic origin, religious beliefs or trade union membership. The standard for explicit consent will likely remain the same as the provisions in the Directive, which is that a client must be provided with a proposal for disclosure of specific pieces of personal information and the client must actively respond in writing or orally.
What data is held, where the data came from and who the data is shared with are the main privacy provisions under GDPR’s requirements for personal data documentation. The GDPR increases the rights of data subjects so that, if inaccurate data is shared with another organisation, that organisation must know the data is inaccurate. Firms should review their current privacy notices and decide if any changes are necessary. Under DPA, firms are required to inform clients of certain information, like identity and use of information. The GDPR requires firms to explain the legal basis for processing data, data retention periods and instructions for how individuals can complain to the Information Commissioner’s Office (ICO) if they believe there is an issue with how firms are handling their data.
Furthermore, firms need to read the ICO’s guidance on Privacy Impact Assessment (PIA), which will become a legal requirement under GDPR. PIAs are part of the ICO’s privacy by design approach, which aims to promote privacy and data protection compliance from the start by integrating these elements structurally. PIAs are used to identify privacy risks and can be used alongside other risk management policies within a firm.
Rights belonging to the data subject
The GDPR also enshrines rights for data subjects and includes the following: subject access, correcting inaccuracies, information erased, prevention of direct marketing, prevention of automated decision-making and profiling and data portability. Whilst many of these rights are already covered under DPA, there are two new categories. The first, data portability, requires firms to provide the data electronically and in a commonly used format.
More contentiously, the right to be forgotten is a new measure emerging from a Spanish legal case against Google Spain and Google Inc. that went to the Court of Justice of the European Union. The EU Court ruled on 13 May 2014 that, in certain circumstances, individuals have the right for links to personal information to be removed from search engines “on a case-by-case assessment” if “the information is inaccurate, inadequate, irrelevant or excessive”. The new right under the GDPR requires controllers of data to take “reasonable steps” to inform third parties when a client has requested personal information to be removed. The burden of proof has also been shifted to the controller to prove that personal data is still relevant and therefore cannot be deleted. Lastly, non-European parties offering services in Europe must comply with this provision. Firms must ensure that they understand these rights and that their infrastructure is compliant with these new requirements.
The start of 2018 will spark a flurry of financial regulations being implemented. The implementation of GDPR in May 2018 is at the tail end of the 2018 financial regulation queue, with PRIIPs and MiFID II coming into force from January and SFTR going live in the first quarter. With all these financial regulations looming, processors and controllers of data are advised to prepare in advance for the vast changes that will be occurring.
JWG will be publishing articles up until the deadline. To receive these articles and to keep up to date with all regulatory developments, follow us through our newsletter, our Twitter feed and our LinkedIn group.