GDPR and what it means for you
For adviser use only
General Data Protection Regulation
On 25 May 2018 new guidelines from Europe will apply to strengthen data protection for all individuals. The General Data Protection Regulation (GDPR) aims to give control back to individuals over their personal data and to simplify the regulatory environment within the European Union (EU).
The UK government has also confirmed that the UK’s decision to leave the EU will not affect the introduction of the GDPR.
What does it mean for financial advisers?
With the new guidelines fast approaching, you should review the guidelines from the Information Commissioners Office (ICO) to understand what it means for your and your business. This will enable you to identify your requirements and take the necessary steps towards achieving compliance, such as reviewing any communications strategies.
Who does GDPR apply to?
The GDPR definitions are broadly the same as under the Data Protection Act (DPA). If you’re currently subject to the DPA, it’s likely that you’ll also be subject to GDPR guidelines. GDPR impacts everyone who collects and processes personal data on individuals within the EU.
What’s the impact of GDPR?
For full information on the GDPR requirements please read the ICO guidelines. We’ve detailed below a few of the key areas that are changing:
GDPR lays down very prescriptive rules on what information must be provided to an individual when you collect their personal data (for example who is the data controller, contact details of the data protection officer, the legal basis for any processing you conduct and the length of time their information will be kept).
The rights of individuals
GDPR will enhance individual’s existing rights, as well as introduce some new rights. These include:
- From May 2018, individuals will be able to request a copy of their personal data by making a Subject Access Request (SAR) free of charge and the number of days organisations will have to respond will reduce from 40 to 30 days.
- Individuals will have the right ’to be forgotten’ (have their personal data erased) in certain circumstances.
- Individuals will have the right not to be subject to a decision based solely on automated processing, including profiling.
Where an organisation relies on consent as their lawful basis for processing an individual’s personal data (to be able to send them direct marketing material), the rules around consent have been strengthened significantly. For example:
- Organisations must be able to demonstrate that the individual has consented to the processing of his or her personal data for a particular purpose.
- An organisation’s request for consent must be provided in a clear, intelligible and accessible form, using clear and plain language.
- Inactivity, for example, not clicking on an opt-out box, will not be valid consent under GDPR. Individuals must take an action in order for consent to be valid (by ticking a box, confirming their consent verbally).
The ICO have indicated in their draft consent guidance that where any existing consent doesn’t meet the requirements of GDPR, then it will not be valid from May 2018.
Significantly, the new regulations include provisions that promote accountability and governance, in addition to the transparency requirements (mentioned above). These measures have previously been good practice, however following the introduction of the new regulations they’ll be legally required.
These measures should minimise the risk of breaches and uphold the protection of personal data.
What are the consequences of not complying with the new regulations?
Currently breaches of the DPA can attract fines up to £500,000. When GDPR comes into force, there will be a two-tiered sanction regime. Lesser incidents will be subject to a maximum fine of either £10 million (£7.9 million) or 2 per cent of an organisation's worldwide annual turnover (whichever is greater), with the most serious breaches resulting in fines of up to €20 million or 4 per cent of an organisation’s worldwide annual turnover (whichever is greater).
What is Aegon doing to comply with GDPR?
Aegon is responsible for complying with the data protection regulations and is fully aware of the upcoming changes to data protection regulations that will come into force under GDPR. We’ve already appointed a Group Data Protection Officer and Aegon UK has a local Data Protection Officer in place.
We have a GDPR programme set up, looking into the requirements of the new regulations and what they mean to our business, its customers and processes. This will enable us to identify and take the necessary steps to achieve compliance in May 2018.
To help you put GDPR into practice, you may find the following FAQ’s helpful.
Will Aegon (as the scheme provider) still be able to communicate with the individual scheme members?
GDPR won’t impact the existing process of being able to contact customers with servicing and marketing messages. Aegon will continue to contact our customers to ensure our customers are fully informed pre and post retirement within the rules of the consent guidance.
Is there any difference between what a scheme adviser and personal adviser will be able to do following the introduction of GDPR.
We understand that GDPR shouldn’t impact existing adviser relationships, as they already adhere under the DPA.
As a scheme adviser, can member data be shared with third parties?
Advisers, as data controllers have responsibilities to comply with the ICO. We’re unable to comment on individual cases though suggest you may want to consider reviewing your fair and lawful processes as well as consent permissions.
Following GDPR, as an adviser will I still have access to the same level of management information?
Our existing adviser terms and conditions comply with the GDPR regulations, and so we don’t believe there will be any impact after May 2018. The following information will be available:
|Pre-GDPR 2018||Post-GDPR 2018|
|Scheme member data||Y*||Y*|
*Subject to receipt of permission confirmation from adviser
Where can I find out more information?
This information is based on our understanding of the draft GDPR guidance. We recommend that for the most up-to-date information you regularly visit the Information Commissioners Office.