Privacy notice - GDPR

StuartBFM · February 2018

So, I've been re-writing our privacy notice for GDPR for the past two weeks and have been reading up on the ICO website quite a lot, however following the latest Howwow, I am a bit confused by the lawful bases for processing. I have a section in the privacy notice detailing the bases on which we may rely so the data subject understands why we will be processing their data, which are...

1) Consent - easy to understand, they just sign
2) Contract - e.g. where there is an agreement for us to provide a service, we need to process the data in order to meet our obligations to the client under a client agreement/recommendation
3) Legal obligation - where all the FCA/EU et al rules and laws require us to hold and process data, so retention periods, knowing your client and all that jazz
4) Legitimate interests - e.g. where we have a legitimate interest in retaining information relating to any advice we have given pretty much indefinitely in case of a complaint in the future.

The Howwow seemed to suggest 2) above doesn't count, 3) was glossed over and 4) is everything else that isn't consent. This was not my understanding of it at all.

Anybody in a more enlightened position to explain it?

richallum · February 2018

@StuartBFM ;I'm at a full day workshop on this next week and will be asking those very questions. Will report back.

edevan5 · March 2018

Hi Stuart,

We've done a lot of work on this and even appointed our own internal GDPR coordinator to ensure we're "GDPR ready". I asked him to have a quick look at your query and I've included his response below. This is going to be a bit of a minefield, so the more thoughts and opinions we can get on this the better!

"I presume Stuart is a freelance para-planner, so I will make the assumption that he will fall into both the category of data controller and processor.

I'll come back to point number one dealing with consent last and start off with point 2 which deals with Contract. You can rely on this fulfilling your lawful basis if you need to process a data subject's data to fulfil a contractual obligation. In the case of an IFA, being contracted to provide financial advice. This advice can't be offered without processing the data subject's personal information. In most cases I believe this would be a suitable basis for lawful processing, where an IFA has been contracted to provide advice.

Point 3 refers to legal obligation. I would hazard a guess that there is no legal obligation for an IFA or para-planner to process personal data. There may be a legal obligation to retain data (be careful here of new data minimisation rules), but unless approached by public authorities or legal bodies and asked to process data, I couldn't see this as applicable in this instance. Somewhere where it may be more suitable is processing a teacher's job application and conducting reference checks for criminal background.

Point 4 looks at legitimate interest. In the first case, there would be no legitimate interest for the data processor to process that data, so you couldn't rely on this being a lawful basis for processing. If you tried to use this, you would have to take into consideration peoples' rights, freedoms and interests. This doesn't mean that the data couldn't be kept for an indefinite period of time to either refer back to at a later date for more informed advice or to show as evidence in the case of a complaint. If that data had to be processed again to be retrieved you could rely on legitimate interest in that case.

Coming back to point 1 with consent. Consent is murky and not as clear cut as it looks from the outside. Because consent has to be so specific and "granular", if you deviate away from the original consent even slightly, you are opening a data protection shaped Pandora's box. For example, if you know that you only need a person's first name, last name and net monthly available expenditure to provide investment advice, great. However, if you suddenly find that you can't continue without providing the subject's date of birth (for example) you have to repeat the whole gaining granular consent over again, which is time consuming for you as well as irritating for the client, because don't forget you have to be able to prove consent which means some sort of paper trail. Consent draws a very obvious, clear and potentially narrow line in the sand - if you deviate from this line in any way, you're lining yourself up for potential problems.

In my opinion, out of the available 6 valid basis for lawful processing - Contract will be the most applicable for IFAs and para-planners. The regulation states: "processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”, which puts the data subject in the driving seat. They approach you to do something and you process their data in order to do what they are asking. As a side note, but worth mentioning, that this is also applicable as a lawful basis even if there is no formal contract in place - even if a data subject has approached an IFA for an initial quote, if you have to process their data in order to do so then Contract covers you to do what they ask. As a last point though - don't forget the processing must be necessary. Referring back to the quote example, if you can reasonably provide one without processing any personal data, then don't! If you are audited you would need to be able to justify any processing."

Suse1969 · March 2018

Oh good god and here was me thinking I had my head around this. I'm hopefully meeting with our legal firm next week post the Powwow (scheme members), so I'll post if there's anything useful from that too.

richallum · March 2018

I'm a GDPR day with Phil Young next week and will bring this and all the issues from the Howwow up and report back too.

StuartBFM · March 2018

Thanks for the replies, seems its not all as crystal as I was beginning to hope it was.

Privacy notice - GDPR

Comments