The EU General Data Protection Regulation, or GDPR, came into effect in the UK on 25 May 2018, introducing new rules around how businesses deal with personal data. As we approach its third anniversary, Nick Eatock, CEO of intelliflo, considers how advice firms are coping with the legislation.
Three years ago, GDPR introduced important changes to the way organisations treat their customers’ personal data. As advice firms handle large quantities of personal data, the regulation poses some specific challenges to the profession. The rules place far more emphasis on the rights of individuals to control their own data, and require firms to make the secure storage and handling of client information central to all their processes.
The cost of failing to comply can be huge. For the most serious infringements, the Information Commissioner’s Office (ICO) can impose fines of up to £17.5m or 4% of annual turnover, whichever is greater, and it hasn’t been afraid to act. GDPR enforcement action led to nearly £40m in fines in 2020. The two largest were British Airways who were charged £20m for a data breach which affected 400,000 customers, and hotel group Marriott International, which paid £18.4m following a cyber-attack affecting an estimated 339 million guest records1.
As well as the initial work to establish the correct procedures, GDPR requires ongoing work to ensure compliance; it’s not just a one and done tick box exercise. You need to continue to make sure that active client data is accurate and that you only hold data on legacy clients that you genuinely need to keep. If a client requests their data, you need to provide it without undue delay. If your firm or any employees breach the rules, for instance if an email including personal information is sent to the wrong address, or individual data is revealed in a phishing scam, you need to report the breach to ICO and the affected clients within 72 hours of it being identified.
Given the implications of the regulations to the advice sector, it’s hardly surprising that in research among intelliflo office users in May 2019, a year after GDPR came into effect, nine out of 10 firms reported the legislation had impacted their daily business, including 20% who felt it had had a major impact. Another two years on, and our feeling is the rules are now far more embedded in processes, creating little additional work for firms on a day-to-day basis.
To this end, the Covid-19 pandemic may actually have helped some firms with their GDPR compliance. For all the challenges it posed, the resulting increased use of technology has in many cases improved data quality, handling and processing. When the legislation first came into force, we saw a significant uptick in the use of our systems, as advisers turned to technology to make compliance easier. But the pandemic has had an even greater impact, with huge rises in usage of our client portal, electronic signature capability and virtual meeting facility.
Client portals in particular can play a key role in avoiding data breaches, as a way to share information securely and make personal data easily accessible to the client. According to the most recent ICO statistics2, in Q1 2021 the finance, insurance and credit sector received 255 reports of data breaches. The most common, with 46 reported breaches, was data being emailed to the incorrect subject, and a further 34 were due to it being faxed or posted to the wrong person. Just four were attributed to a client being shown someone else’s data via a client portal.
Human errors like this illustrate that GDPR really is everyone’s responsibility. It’s vital that all employees understand the importance of the regulations and the potential risks to your firm of non-compliance. Having solid frameworks in place to process and store information accurately is crucial and also helps to evidence to ICO you have taken reasonable steps to avoid a breach and ensure data accuracy.
On a positive note, in general firms appear to have fared well at compliance. Aside from the big fines for a few serious incidents, there has been little enforcement activity to date. In its 2019/20 report, ICO stated that in 95% of personal data breaches, the outcome was no action for the data controller, with an improvement action plan agreed or civil monetary penalty pursued in just 0.06% of cases3.
At the very least, these figures demonstrate that UK businesses are taking their GDPR responsibilities seriously. In October 2017, before the rules came into force, our research among advice firms found that two thirds (67%) didn’t have a plan in place to fully implement the legislation in time, while almost one in 10 (9%) were not aware of the regulation at all. Clearly the sector has come a long way in the three years since the rules took effect, with technology supporting robust procedures to cope with GDPR’s challenges.
2 https://ico.org.uk/action-weve-taken/data-security-incident-trends/
3 https://ico.org.uk/media/about-the-ico/documents/2618021/annual-report-2019-20-v83-certified.pdf
