26 February 2018

News: Data Protection

Broadly there seems to be a consensus that there will have been a 50-fold increase in size by 2020, reaching in excess of 2


Broadly there seems to be a consensus that there will have been a 50-fold increase in size by 2020, reaching in excess of 2.5 exabytes produced every day – which equates to approximately 90 years of High Definition video. And with the dramatic rise of both human- and machine-generated data there seems to be no let-up in the predicted growth rates.

Clearly data growth creates challenges such as, amongst others storage, data centre power and of course data security. It should be no surprise then that data protection hit the legislators’ range finder as more and more data is shared online and our privacy is increasingly at risk of becoming compromised.

This year sees the most important change in data privacy regulation in 20 years with the onset of GDPR, or the General Data Protection Regulation. After four years of preparation, the new
rules were approved by the EU Parliament in April 2016 and become enforceable on the 25th May 2018.

The key changes, are designed to harmonise data privacy laws across Europe (and yes do still apply despite Brexit) can be summarised as follows:

  • Increased territorial scope
    The jurisdiction of the regulation now covers all companies processing personal data of data subjects residing in the Union, regardless of the company’s location.
  • Consent
    Conditions for consent have been strengthened and consent must be given in an easily accessible form – no more hiding behind complicated terms and conditions. Importantly, consent must be as easy to withdraw as it is to give.
  • Penalties
    Fines are much more onerous with maximum fines up to 4% of annual global turnover or a maximum of €20 million for data breaches.
  • Breach notification
    It is mandatory to report a data breach to the regulator (the Information Commissioner’s Office in the UK) within 72 hours of first becoming aware of the breach.
  • Right to access 
    Expanded rights allow data subjects to obtain confirmation from the data controller as to whether or not personal data concerning them is being processed, where and for what purpose. 
  • Enhanced Rights
    This gives individuals more control over the use of their data. This includes enhanced rights to access, right to rectification and rights to be forgotten.

What do we do with your data?

At JM Finn we hold client contact, personal and financial details on our systems such that we can provide you with the service that you have requested and to comply with our regulatory obligations. This data has been provided by the client and the only instances where we might share this data are with companies that send out our client reports, for example periodic statements and contract notes, and Prospects magazine. We might also share data with credit reference agencies where this is the condition of us providing the services to you and, in the case of our wealth planning service, approved product suppliers, such as pension scheme providers. In all cases, it is of course our responsibility to ensure that the third party is fulfilling their GDPR obligations and treating your data to the high standards of privacy that we expect of ourselves. In some instances these third parties might exist overseas, but we will still take the appropriate measures to ensure that your data is processed in accordance with the regulations.

We also hold personal details for non-clients and it is this data where we have to gain explicit consent. This is so we can contact them for marketing purposes where we might want to send them a copy of Prospects or invite them to an event such as a wealth planning seminar. Once consent is received we will maintain the data within the constraints of the regulations and look to refresh the consent on a regular basis.

Digital data, such as IP addresses, are recorded from all visitors to our websites. We collect this data passively to help us distinguish one visitor from another and we use this data to identify browsing actions and patterns in order to enhance the websites. The data is shared with analytics providers and search engines to help us optimise the website via the use of cookies, which retain the information from one minute to two years, depending on the cookie deployed.

Finally, it’s worth mentioning that all voice and data communications into the firm are recorded, whether sent by telephone or email. We don’t share this data with anyone unless required to for regulatory or legal reasons.

The updated regulations require organisations to write new procedures and instil new processes around data privacy and retention and have implications across all aspects of a business from marketing to HR. At JM Finn we have taken legal advice as to the impact on our business and we would encourage all business owners to do the same – as the amount of data we hold intensifies, so the issue of data privacy becomes more acute.

Useful guidance can be found at www.ico.org.uk.

Understanding Finance

Helping clients understand what we do is key to building relationships. To explain some of the industry jargon that creeps into our world, we’ve pulled together a section of our site to help.


Also in this issue