News & Views

What is the GDPR and when will it apply?

Business development for Financial Advisers and Paraplanners

31 Jan 2018

What is the GDPR and when will it apply?

The General Data Protection Regulation (GDPR) comes into force on 25 May 2018 and will govern the use of personal information throughout the European Union.  It replaces the EU's Data Protection Directive and the UK's Data Protection Act 1998.  The Government's Data Protection Bill (due to come into force this year) will ensure that the GDPR remains in our law post-Brexit so there is little doubt that the GDPR is here to stay.

Casting the net wide

The GDPR will apply to organisations that use the personal information of EU citizens within its Member States.  In certain circumstances, the reach of the GDPR will go beyond the EU and apply to the activities of an organisation located outside of the EU - the net of the GDPR is cast wide.

What is Personal Information?

Personal information is data that relates to an identified or identifiable natural person. A person can be identified from information such as a name, ID number, location data, online identifier (i.e., an IP address) or other specific factors. It includes anyone who can be identified directly or indirectly but does not include anyone who is deceased.  For example, it might include details of insurance products put in place by clients, details of account transactions and the names, addresses and other contact details of clients.

What are the principles of the GDPR?          

When handling personal information, the following principles apply under the GDPR.  Personal information should be:

  • processed lawfully, fairly and in a transparent manner;
  • collected for specific and legitimate purposes and only used in a way which is compatible with those purposes;
  • adequate, relevant and limited to what is necessary for the purposes of processing;
  • accurate and kept up to date;
  • held for no longer than is necessary for the purposes of processing; and
  • processed in a manner which ensures appropriate security of the personal data, using appropriate technical and organisational measures.

Compliance with the above principles, and the GDPR as a whole, must be clearly demonstrated. This is known as the accountability principle and goes to the heart of the changes under the GDPR.  Organisations must be able to demonstrate that compliance is implemented at all levels throughout their organisation and that responsibility for compliance is allocated at board level.   This can be demonstrated by implementing technical and organisational measures to ensure compliance, documenting all processing activities and policies and, where appropriate, appointing a Data Protection Officer.  A significant challenge for organisations is instilling a compliance culture.  The good news is, that as organisations that are either regulated by the FCA or regularly dealing with other regulated entities, your employees will understand the importance of compliance and you may even have procedures and policies which you can utilise to aid your GDPR journey.

What happens if you don't get it right?

If an organisation has not complied with the GDPR then the regulator (the UK's Information Commissioner's Office (ICO)) has the power to issue significant fines -  up to the greater of 20 million euro or 4% of annual global turnover. The fines work on a sliding scale depending on the nature and seriousness of the breach. The ICO may also make use of its other enforcement tools such as audits, issuing warnings or corrective orders or imposing a ban on processing.

What next?

The key message is that it is not too late to start to get your house in order. As a starting point you should consider what personal information you have and what you use it for. This will guide your approach, and your next steps, in the lead up to 25 May.

In the run up to the GDPR we will be running a short series of briefing note on other areas that you should be considering and next steps to take in order to move towards GDPR compliance.  

Womble Bond Dickinson

For further information, please contact Caroline Churchill, Partner at Womble Bond Dickinson(UK) LLP

Email this article Print Share on Twitter Share on LinkedIn Share on Facebook Share on Google+

Comments (1)

Bear in mind that for your own protection, you need to hold personal data on any person you have, or ever had, a commercial relationship until such time as they can no longer make a claim against you relating to it.

Since FOS sticks two fingers up at the Long Stop in the Limitation Act, that means for ever.

Peter Turner   20/02/2018   11:58


Not yet registered?

Please complete this form to join our community

Select your role:
Confirm Password

Visit the Womble Bond Dickinson sponsor area See more about Womble Bond Dickinson in Tools & Resources

Read more articles from Womble Bond Dickinson.

Join the Panacea community

Join the Panacea community for free and recieve news, guides, whitepapers, event information, special offers and more!