Don’t get caught offside when GDPR kicks-offRSS icon

Written by Sumit Sethi on Wednesday 4 October 2017

This article first appeared in Professional Adviser, September 2017

The history of the offside rule dates back to the early 19th century, with it being incorporated as one of the original laws in the 1863 Laws of the Game. Since then, differing interpretations of what constitutes offside i.e. should it be the second to last player, at least three players or even no players, led to several amendments, with the last major change being in 1990. And yet, you still overhear people asking, “What is the offside rule?”

The offside rule exists to promote the free-flowing movement of the game, the scoring of goals but not at the expense of fairness. Whilst the impact of non-participants misunderstanding offside is trivial, when the very professionals that play the game execute poor timing or poor communication, they fall foul of the rule and the consequences can adversely determine the result of the match.

In the same vein, the EU has sought to repeal the many local directives such as the UK Data Protection Act (DPA) in place of the General Data Protection Regulation (GDPR), which comes into force on 25/05/2018. GDPR recognises the protection of personal data as a fundamental human right and in doing so, it introduces a new set of remedies and penalties. GDPR is about achieving trust through two mechanisms; transparency & accountability. The EU has effectively sought to level the playing field through one standardised piece of regulation, and Professional Advisers need to understand what GDPR means for them, before they fall foul of it.

With little over 8 months left, Professional Advisers do not have much time to ensure their operations are GDPR compliant. Adding to this complexity, there is a myriad of myths and misinformation with many commentators sensationalising the crippling fines. Reassuringly, the UK Information Commissioner Elizabeth Denham blogged last month to clarify that “issuing fines has always been and will continue to be, a last resort” and whilst they have a suite of sanctions, participants shouldn’t lose sight of what GDPR is actually about.

As intermediaries, Professional Advisers are Data Controllers and this places them firmly within the scope of GDPR. However, just like the Three Lines of Defence model used for risk management, we can utilise this to illustrate the three logical lines (Clients, Back-office and Partners) that Professional Advisers should address as part of becoming GDPR compliant.

  1. Line 1 (Clients) - As this is the initial engagement point with potential clients (Data Subjects), Professional Advisers should familiarise themselves with Chapter 2; Lawfulness of processing (Article 6) and Conditions for consent (Article 7). These articles mandate that to process data lawfully on the basis that it was collected, consent must explicitly be clear and affirmative together with an opt-out for Data Subjects, and with the burden of proof for securing consent residing with the Professional Adviser.

The opportunity for Professional Advisers is to review their engagement process and redesign it in line with not just with GDPR, but their own business strategy. This will ensure they can succinctly inform clients of what data they will hold, the purpose of collecting it and how it will be processed. In working towards a clearer relationship with clients, they should become better at attracting and retaining them.

  1. Line 2 (Back-office) - This is where Rights of the data subject (Chapter 3) and Controller & processor (Chapter 4) are of relevance. Right of access by the data subject (Article 15), Right to erasure - ‘right to be forgotten’ (Article 17), and Right to data portability (Article 20) are all from Chapter 3 and whereby processes need to be modified. When simplified, they work together to mandate that whatever data you have of the Data Subject, you must be able to undertake a variety of requests, in certain cases to lower timeframes than under the DPA whilst not contravening other laws and regulations e.g. MiFID II.

Data Protection by design and by default (Article 25), Records of processing activities (Article 30), Security of processing (Article 32), Notification of a personal data breach (Article 33) and Data protection impact assessment (Article 35) are some of the significant provisions from Chapter 4. They work together to encourage organisations to ‘bake-in’ data protection across Business As Usual (BAU) including future operational changes as well as unplanned changes e.g. data breaches. 

The opportunity for Professional Advisers is to review and reengineer their processes and systems to be able to better serve inbound requests. In doing so, they will be better able to understand and prepare for the wider provisions around security and protocols for managing data breaches. 

  1. Line 3 (Partners) - Fund Managers, Insurance Companies and Platforms are Data Processors that Professional Advisers engage with and in doing so, data is exchanged. GDPR brings about a fundamental change in that Data Processors now have direct statutory obligations placed upon them, with Processor (Article 28) from Chapter 4 being materially important. Professional Advisers should ensure that contractual agreements between these partners are GDPR compliant and factor in those articles that Professional Advisers themselves must adhere to. We should see a range of new contractual obligations being appended to existing contracts, if not, entirely new contracts.   

The opportunity for Professional Advisers is to better control data that leaves their BAU operations and in doing so, reduce their risk by further understanding the data that they collect, what they do with it and what purpose they need it for, which will ultimately, promote a culture of best practice.

Whilst the scope of GDPR may seem all-encompassing, it should not be viewed as a simple ‘tick-box’ exercise but rather an opportunity for Professional Advisers to establish better relations with their clients and partners as well as improve their back-office operations. To avoid being caught offside, Professional Advisers should create a plan that addresses the higher priority items based on an impact assessment and gap analysis to demonstrate that they are actively reducing risk. The Royal Mint illustrated the offside rule on 50p coins in 2012 and whilst the task might seem impossible for a GDPR equivalent, I would inscribe ‘Transparency & Accountability’ on my 50p coins, which should serve as a constant reminder whilst working towards GDPR.

Enjoy this article?

Why not share it...