April 17 – General Data Protection Regulation

Firms should be starting to review how they will comply with the EU General Data Protection Regulation (GDPR), which comes into force next year. While the new legislation is generally an extension of the existing data protection provisions, it adds explicit requirements and introduces new obligations, such as the accountability principle where firms will have to demonstrate how they comply.

One key change is the strengthening of individuals’ rights. Firms will need to seek explicit consent from an individual (e.g. not using a pre-ticked box) that should outline the specific activity for which their data will be processed. Firms will not be able to rely on consent given for one activity and use it for other purposes, so firms will need to decide how they will obtain consent for each processing activity. The declaration of consent has to use clear and plain language and not contain unfair terms. This move from firms providing long and complex terms and conditions to needing to effectively engage with consumers has already been encouraged by the FCA in their recent work on smarter communications. Individuals will also have a right to withdraw consent at any time and subject access requests will have to be provided free of charge.

The Information Commissioner’s Office continues to publish guidance on GDPR, however clarification is needed from the FCA on how it interacts with firms’ regulatory obligations such as disclosure, anti-money laundering and record keeping. Firms should however start to plan now for the changes they will have to make next year.

Aileen Lees
Senior Policy Adviser
April 2017