As we fast approach the May 25th deadline for GDPR implementation. Our Head of Risk & Compliance, Patrick McCarrick takes time out of his busy schedule to share his insights regarding the key principles of GDPR and what they mean for financial services businesses.
Having worked within a variety of regulated financial services businesses over the past 25 years there has always been an emphasis on gathering a wide range of personal information on new and existing clients alike. The purpose of which was to enable a business to identify and meet the ongoing, and developing, needs of clients, whilst at the same time fulfilling the increasingly complex compliance obligations and regulatory requirements particularly those related to Anti-Money Laundering (AML) and Terrorist Financing prevention. In more recent times these have expanded to now include, Taxation related legislation such as the Foreign Account Tax Compliance Act (“FATCA”) and the Common Reporting Standard (“CRS”).
‘Evolution not Revolution’
I think that it is fair to say that for most financial services firms, such as Knox House Trust (“KHT”), the introduction of the General Data Protection Regulation (“GDPR”) is more of an evolution than a revolution. As a regulated business we have always taken our Data Protection (“DP”) and Data Security obligations seriously. So the introduction of GDPR is being viewed as an opportunity for review and refinement rather than an obstacle to overcome.
Principle 4: Accuracy
Here the principle relates to the need for a business to ensure information remains accurate, valid and fit for purpose. To comply with this principle, KHT must have processes and policies in place to address how we maintain the data we are processing and storing.
Principle 5: Storage Limitation
This principle discourages the unnecessary retention of client data by a business. For example, once KHT no longer has a lawful purpose to hold client data it should prevent replication/processing and take steps to ensure that it is destroyed in due course. This principle also limits how client data can be stored and moved, how long client data can be stored for, and requires us to have processes in place to prevent, identify, address and report data breaches (should they occur).
Principle 6: Integrity and Confidentiality
This principle seeks to protect the integrity and privacy of data by making sure all data is secure. In practice, this requires KHT to implement security measures that are proportionate to risks and rights of individual data subjects.
Principle 7: Accountability
The need to be able to demonstrate to various governing bodies that a business has taken the necessary steps comparable to the risk the business and their clients face. Therefore in order to comply, KHT must ensure that every step within our GDPR framework is fit for purpose, auditable and can be evidenced quickly and efficiently.
Conclusion
Whilst some businesses may not be welcoming the incoming legislation, one thing is certain, failure to comply will be a costly option. As a business that already places great importance on their DP and Data Security obligations, we have treated GDPR as an opportunity to provide greater peace of mind for our clients through a review and refinement process to make changes and improvements where required to do so. Evolution not revolution!
Next Steps
If you are still struggling to decipher the new legislation to ensure compliance before the May deadline, help may be at hand. Our experienced compliance team can assist with the completion of GDPR risk assessments, policy and procedure reviews and ongoing compliance monitoring.
Please do not hesitate to contact me directly if you would like to learn more.
It is with these thoughts in mind that I was asked to outline what the business needs to do to ensure we are ready for the GDPR’s 25 May 2018 implementation date. Article 5 of the GDPR contains 7 overarching Principles which have helped us to focus our thoughts and identify what they key incoming changes of GDPR actually are and how they will impact financial services businesses such as KHT.
Principle 1: Lawfulness, Fairness and Transparency.
This principle emphasizes transparency for all data subjects and data collection from clients. It states that a business must be clear as to why that data is being collected and how the data will be used. A business must also be willing to provide details surrounding the data processing when requested by the data subject. For example, if a data subject asks who the data protection officer is at KHT or what data the organization has about them we are obliged to make this information available to them, free of charge, as soon as possible.
Principle 2: Purpose Limitation
This principle relates to the need by a business to have a lawful and legitimate purpose for processing the information and data in the first place. In short, this principle makes it clear that we shouldn’t collect any piece of data that doesn’t have a specific purpose, or is, incompatible with the purpose we collect it for. For example, KHT are not permitted to use data, such as e-mail addresses, from our client database to market the products and services of other entities within the Knox group of companies.
Principle 3: Data Minimization
This principle requires a business to ensure the data they capture is adequate, relevant and limited. In essence, we (KHT) must only store the minimum amount of data required for a specific purpose.