The Information Commissioner’s Office (ICO) published a statement in April stating that it would be taking a pragmatic and flexible approach to regulatory action during the Covid-19 pandemic.
Since then it has since published a wealth of helpful guidance on working from home, testing for returning to work and data management for various Covid-19 data initiatives.
We would recommend that financial institutions avail themselves of this guidance.
Financial institutions should recognise that their working practices will have changed, their IT infrastructure will likely be different now and the data risks they faced pre-Covid-19 will therefore have changed too.
To understand what the current crisis means for GDPR rules it is probably worth revisiting some history.
How did we get here?
The UK Data Protection Act 2018 (DPA) and the EU General Data Protection Regulation 2016 (GDPR) which it complements, are the two main cornerstones of UK data protection legislation.
Previously, the UK law on data protection was framed around the Data Protection Act of 1998, which clearly was not (and could not have been) drafted for the digital age.
The change in the law brought about by the DPA 2018 and GDPR was well publicised during 2018, but global financial organisations, as well as those in other sectors, are still facing many challenges with compliance.
Some are still catching up with the general requirements of the new framework of law (i.e. ‘housekeeping’) while others need to respond to events that engage the law in new ways, such as the occurrence of a data breach.
At Ince, although we act for organisations in all sectors including financial advisers, financial institutions often seek our advice specifically in the field of data protection, after we have provided legal advice on financial crime prevention, specific financial regulations or in relation to an application to the UK Financial Conduct Authority.
In July 2019, the UK Information Commissioner’s Office (ICO) announced a proposed intention to issue significant fines under the GDPR and DPA 2018 of £183.39m and £99.2m for two specific breaches, however our view of the GDPR landscape is generally positive.
Although our clients may struggle with technical aspects of compliance, or face an imminent event like a data breach where lawyers need to be instructed, we have generally found our clients to take a positive cultural approach to data protection, to aim for best practice standards and to care that data rights are properly afforded to their clients.
In our experience, the fact that an organisation may get things wrong in relation to data protection has not been a reflection of failings of attitude or culture – but a reflection of the natural limits of their own staff’s ability to maintain high levels of competency in specialised legal fields that are not core to their businesses.