If you've not heard of the new European Union General Data Protection Regulations (GDPR) then you will soon do so, as their introduction is getting ever nearer, the new regulations coming into force on May 25, 2018.
Europe's data protection laws were created in the 1990s. Since then, there have been huge changes in the amount of digital information we create, capture and store which has resulted in the old regulations being no longer fit for purpose in the modern digital age.
GDPR is Europe's new framework for data protection laws and will replace the UK's Data Protection Act. GDPR is intended to harmonise the data privacy laws across Europe and give greater protection and rights to individuals. Within the new European General Data Protection Regulations, there are large changes for both the public as well as businesses and bodies that handle the personal data of European Union citizens. This means that there will be large changes for the pensions industry as a whole.
Will Pension Consultants And Advisers Be Impacted?
In short, yes. ALL individuals, organisations, and companies that are either controllers or processors of personal data will be covered by the GDPR. "If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR," the ICO says on its website.
Under GDPR, both personal data and sensitive data are covered, with personal data being defined as anything that can be used to identify a person, such as their name, address or IP address. Sensitive data includes things such as genetic data and info about someone's sexual orientation or religious and political views. Companies that are covered by GDPR will be more accountable for the data that they hold and will need to have compliant data protection policies, data protection impact assessments as well as having relevant documents that show how data is processed.
For example, under GDPR, organisations will now have to ensure they use simple language when asking for consent to collect personal data. They will need to be clear about how they will use the information, and they need to understand that silence or inactivity no longer constitutes consent.
Another major change will be the right to be forgotten. Under GDPR, organisations are required not to hold data any longer than absolutely necessary and not to change the use of the data from the purpose for which it was originally collected, while – at the same time – they must delete any data at the request of the data subject. This means that organisations will have to get fresh consent before they can alter the way they are using the data they have collected.
Will GDPR Apply Post-Brexit?
GDPR will apply to the UK because the legislation is going through before the UK leaves the European Union. What many people don't also realise is that GDPR applies to any organisation globally that processes or stores the data of European Union citizens, thus it would have an effect on hundreds of thousands of UK businesses even if it was enacted post-Brexit.
What Happens If You Don't Comply With GDPR?
The fines under GDPR can be huge. Smaller offences can result in fines of up to €10 million or two per cent of a firm's global turnover (whichever is greater). Those with more serious consequences can have fines of up to €20 million or four per cent of a firm's global turnover (whichever is greater). These dwarf the current maximum fine of £500,000 that the ICO can currently issue.
More information on GDPR can be found at https://ico.org.uk/for-organisations/data-protection-reform/.