The GDPR covers all EU Member states including the UK and will apply to companies holding or processing individual’s data. Most companies in the UK are already bound by the Data Protection Act (1998) but the GDPR goes further and places additional requirements on the handling and protection of such data.
Whilst this is an EU regulation and some may be wondering if, as a consequence of Brexit, the UK will be bound by it. The short answer is yes. The Information Commissioner’s Office (ICO), the UK’s independent authority appointed to uphold information rights and, importantly, to provide guidance on legislation such as the GDPR has already stated that Brexit will not affect the commencement of GDPR. Certainly, any triggering of Article 50 now would place the commencement date of GDPR within the 2-year timeframe. Furthermore like the Data Protection Act the GDPR contains the concept of ‘equivalence’ guaranteeing that a country has a commensurate level of data protection thus enabling EU companies to distribute individual’s data beyond the EEA. It is likely that the UK will strive to maintain such a standard of data protection thereby avoiding the need to implement a scheme such as the USA’s now defunct Safe Harbour or its replacement – the Privacy Shield. Many of the UK-hosted pan-EU financial technology companies will almost certainly rely on equivalence and would be adversely impacted otherwise.
What does it mean for asset and wealth managers? The ICO has set out a series of 12 steps that all companies should be undertaking ranging from reviewing the privacy notices used during the collection of personal data, through documenting personal data to familiarising themselves with the requirements of Protection Impact Assessments and ‘Protection by Design’. The ICO has also published specific guidance on key GDPR topics including the changes to Privacy Notices and they have committed to publishing further guidance on the use of Consent [as a mechanism for holding and processing personal data] and Contracts & Liability “in early 2017”. Asset and wealth managers should be reviewing their provisions for data protection in light of the GDPR and the ICO’s initial guidance.
A key tenet of GDPR is the concept of “Privacy by Design”, originally developed by the Information and Privacy Commissioner of Ontario, subsequently championed by the ICO and then adopted into the text of the GDPR. This states that companies will be obliged to demonstrate Data Protection “taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing”. Unfortunately there is no explicit definition of compliance with the concept of Privacy by Design and whilst the GDPR does provide some examples these are few and by no means prescriptive. Consequently there is a vacuum of information for Asset and Wealth Managers to benchmark themselves against. This would be a key area for the ICO to provide guidance on, but in the interim there is much speculation on the definition and the breadth of solutions that could be employed.
We take a pragmatic, unbiased viewpoint on assessing data protection and making recommendations based on our combined understanding of the GDPR, the solutions and protection available in modern systems as well as the data held by asset and wealth managers.