Being right about your rights
The most frequent challenge we see for financial organisations in relation to data protection housekeeping is compliance with the new ‘right to be informed’.
This is one of many data rights that the GDPR and the DPA 2018 afford to individuals, whether clients or prospective clients.
Essentially, an organisation needs to provide specific information about why data is collected, how it will be used and how long it will be kept for.
This is not a complex requirement to comply with, since information can be provided in a privacy policy.
The GDPR provides a checklist of the key elements of information to include in such a policy and the ICO has published helpful guidance on their website covering this topic in detail.
Why then are financial institutions finding this to be a challenge?
The simple reason is that the information needs to be specific and tailored to a firm’s own interactions with its clients and prospective clients.
It is not enough to have a generic template privacy policy that is not specifically tailored to a firm’s (or a department’s) data handling practices.
Under the old law (the Data Protection Act of 1998), firms were often in the bad habit of re-using generic template privacy policies that did not reflect their businesses.
This practice was not appropriate under the old law, but it seemed to become pervasive.
This bad practice seems to have continued despite the new law coming into force, which requires a higher level of specific transparency.
Even two years after the DPA 2018 and GDPR have come into force, we are still helping financial institutions to comply with this requirement.
Data housekeeping while Covid-19 keeps us all indoors
The global response to Covid-19 seems to have had two effects on this ‘housekeeping’ work for financial institutions.
Firms are now finding the time to get their data protection regime into good order; however, there has been a significant increase in price-sensitivity from firms who are naturally keen to use their internal resources as much as possible to assist with the delivery of the necessary legal work rather than, for instance, the drafting of data protection policies.
With premises closed, budgets severely curtailed and staff at home with little ‘normal’ work to do, trying to be as useful as possible in areas such as compliance, it has been necessary for us to be flexible with our clients and to try to deliver our work in a more collaborative way in response to these pressures.
