We are all aware of the financial services sector’s obsession with data, which was recently described as the "oil of the industry". A large amount of future customer interaction and proposition solutions will be based on the use and ‘manipulation’ of data. But data regulation is changing and firms need to ensure they are compliant.
In the past, data was collated, put into a box and stored somewhere within a business. This approach has become unfeasible as increasingly the ‘box’ will need to be constantly taken out of storage and its contents inspected and manipulated.
Any practical challenges have been overtaken by compliance and regulatory requirements. For example, the European Union's General Data Protection Regulation (GDPR) is designed to create one regulation regime to protect all data rights of EU citizens.
It came into force on 24 May and is meant to apply from 25 May 2018. It is almost certain that this area of European regulation will still be applicable or have similar equivalents within the UK even after we have left Europe.
The rules are clear for administrators, distributors and trustees in terms of the penalties they could face. The maximum fine for a company breaching GDPR is £17m (€20m) or up to 4 per cent of total worldwide annual turnover of the preceding financial year. The lower tier fine is up to 2 per cent of the total worldwide annual turnover of the preceding financial year. All firms must inform their relevant data authority about any data breach within 72 hours.
The EU’s GDPR was originally intended to supersede the Data Protection Act 1998. However, as a result of Brexit, there could be uncertainty about how these rules will apply, which is something the Information Commissioner's Office (ICO) will police closely once any regime has been adopted.
The key issue is that you need to tell the ICO if there has been a data breach and clarify the dividing line between those companies that process data only within the UK and those that do not. It therefore becomes an issue for those organisations dealing with EU clients or with a more international profile who have to consider the full ramifications of GDPR.
In order to comply with this regulation post-Brexit, it is likely that firms will have to implement the GDPR into UK law or have a law of an equivalent standard. In reality, any variation from GDPR is likely to only be possible if the context is either entirely domestic or non-EU related.
It seems very likely then that administrators, trustees and distributors will have to follow European data rules even after Brexit.
The importance of high data standards, regardless of Brexit, are explicitly mentioned by the ICO and it is currently something the government is considering to determine the impact on data protection reform in the UK.
A large number of financial services businesses and their ancillary services are operating across borders, and international consistency around data protection laws and rights is crucial to those businesses and their consumers and citizens.
With the increased attention on data and the importance for financial services, the Tax Incentivised Savings Association's Technology Innovation Policy Council is looking at the process by which data producers, data aggregators and data consumers – both large and small – exchange, sell and trade data, in order to agree open standards for the industry.