So many acronyms. So little time. Anyway, it seems every man and his dog has a question regarding GDPR, which is not surprising as legislation is never clear cut. That would make life just a little too easy…
As 25th of May creeps even closer, the level of panic continues to rise. Intelliflo recently conducted a GDPR compliance survey which found 67% of firms say they don’t have a plan in place to fully implement GDPR in time. Y’all know that the fine for non-compliance is €20,000,000 or 4% of global turnover, right?!
For those who are still a little unsure of some of the main aspects of GDPR, we have answered the most frequently asked questions. Admittedly, there are more ‘Qs’ than ‘As’ at the moment, but we will continue to bring further guidance and clarity.
Q – Back to basics. What is a data controller and what is a data processor?
A data controller is the individual who determines the process of the data. They decide how the data is to be collected and the reason for the collection. This could be the office manager for example.
The data processor is the person who conducts the data processing. Such as Paraplanners, back office systems and cashflow modellings for example.
Q – What exactly do I need to disclose to the client?
One of the key aspects of GDPR is communication. You need to disclose three key things to your clients. One, where their data is being held. Is it on a cloud base storage system for example, or is it held by another company? Two, why their data is being held. So, what is your legitimate reason for holding their data? And three, who will have access to their data. Will Paraplanners have access to their data, will SelectaPension see client details, or your cashflow tool of choice, for example? All of these companies need to be listed for the client.
Q – I thought that if we have less than 250 employees or less then 5,000 personal records, then we are exempt from appoint a DPO?
This isn’t true and has been dismissed by the ICO. Earlier in the drafting process, it was said that ‘large firms’ would be classed as firms with over 250 employees or process more than 5,000 personal data records. However, this is now not the case.
You need to appoint a DPO if you:
- Are a public authority (expect for courts acting in their judicial capacity); or
- Carry out large scale systematic monitoring of individuals (for example, online tracking behaviour); or
- Carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
So regardless of the size of your firm or the amount of personal records you hold, if these criteria apply to you, then you need to appoint a DPO. Even if the GDPR doesn’t apply to your business, you must ensure that your organisation has sufficient staff and resources to discharge your obligations under the GDPR.
The confusion has stemmed from the reduced obligations placed on SMEs and special category data. Firms with under 250 members of staff have reduced obligations under the GDPR when it comes to formally documenting processes and carrying out a data protection impact assessment. However, this exemption does apply to businesses which process ‘special category’ data. This includes religious beliefs, trade union memberships, biometric data, health data etc. So the majority of financial advising firms will gather at least some ‘special category’ data, as part of their factfinding process, and therefore, regardless of the size of your firm, we recommend appointing a DPO.
Q – Legitimate interest vs withdrawal of consent. Which one prevails?
GDPR brings in a new right for consumers – the right to erasure, meaning you now need to delete client’s data upon their request. The issue lies within the current FCAs regulations, which state you must hold client information for given periods of time, for example pension transfers needs to be kept indefinitely. In a classroom environment, the FCAs existing rules should overrule GDPR, meaning the legitimate interest will overrule the clients right to erasure. However, we won’t really know until it is tested.
Q – We currently use Dropbox. Will we need to change this after GDPR?
The short answer is no. DropBox business allow you to select the place your information will be held. You can therefore select a country within Europe to be compliant with the GDPR. This is because, although it is an American company, the data will never leave the EU. This has not been explicitly said but it has been implied this is the position.
- Should our emails be encrypted?
Really, emails should already be encrypted. Do you not remember what happened to TalkTalk? They were fined £400,000 as a hacker took advantage of their weak system and gained access to 156,959 customers details. Under the current legislation, the maximum fine is £500,000. Imagine if that happened under GDPR! Yes, we know these are a faff to set up, but you need to protect your own back. Unipass, CounterMail, Hushmail, and Mailfence are some examples of companies who provide encrypted emails.
Q – I am meeting with a client and I need to input their partners details onto the Factfind so I can assess their finances and affordability. Do both of them need to sign?
So regardless of one of them only being your client, if there is enough information logged on the Factfind about their partner to be able to identify them, then yes, they need to sign. This includes details such as their address and their NI number etc.
Q – Will Brexit impact GDPR? Am I just wasting my time?
No, it won’t! If you think sticking your head in the sand until Brexit comes in is an option, then you need to take your head back out of the sand. The UK will not leave the EU until March 2019, meaning GDPR will have been in force nearly one whole year before we leave. Parliament have also announced that we still need to comply with GDPR regardless of Brexit.