How might Brexit affect data protection?

As the media continues to report how things might change in the UK following Brexit, it should come as no surprise that data protection is one of the areas that could be affected. The Information Commissioner’s Office (ICO) has issued new guidance to organisations on this issue.

The provisions of the European Union’s General Data Protection Regulation (GDPR)n have already been incorporated into UK law via the Data Protection Act 2018, so for most firms Brexit will not have a significant impact on their data protection obligations.

There may however be implications for organisations that currently transfer data between the UK and the European Economic Area countries. At present, data can move freely between the UK and other European countries because GDPR set a common set of rules to be followed across the continent. However, if the UK either leaves the EU with ‘no deal’, or any arrangement subsequently negotiated between the UK and the remaining EU countries fails to specifically provide for the continued flow of personal data, then there could still be an impact on the data protection system.

The ICO has published a guide called Six Steps To Take, and these six steps are:

  1. Firms should continue to comply with GDPR and the Data Protection Act 2018
  2. Firms should identify where they receive data from EEA member states
  3. Firms should also identify where they transfer data from the UK to another country
  4. Firms with European operations should review their structure, processing operations and data flows. The EU’s data protection rules will of course still apply in other member states after the UK leaves
  5. Firms should review their privacy information and internal documentation to identify any details that will need updating when the UK leaves the EU, such as the need to remove any references to EU law, or any other references to the EU, EEA etc.
  6. Firms should ensure their key staff are aware of how Brexit might affect data protection

The government has already said that transfers of data from the UK to the EEA will not be restricted, even if there is no deal. However, if the UK leaves the EU without a deal, or with a deal that does not specifically cover data flows, GDPR transfer rules will apply to any data coming from the EEA into the UK. Firms that may be affected are advised to commence working with their EU partners to ensure that data transfers remain compliant. Many firms might choose to use Standard Contractual Clauses as their legal basis for future cross-border transfers. These are EU-approved data protection clauses which can either be embedded within contracts, or added as an appendix to an existing contract,

The Privacy and Electronic Communications Regulations, which cover nuisance calls and texts, will continue to apply in the UK after Brexit.


The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article






Directors can now be personally fined over nuisance calls

December 17 2018 finally saw the long-awaited introduction of fines for individual company directors should their firms make nuisance calls or send nuisance texts and other marketing messages.

For some time, the Information Commissioner’s Office (ICO) has had the power to impose fines of up to £500,000 on firms which breach the Privacy and Electronic Communications Regulations (PECR). A number of fines have been imposed for offences such as cold calling individuals who had registered with the Telephone Preference Service and sending nuisance texts to individuals who had not explicitly consented in advance to receiving them.

However, a number of firms, instead of paying the fine, decided to put themselves into voluntary liquidation in an attempt to avoid payment. The key individuals from that firm may then have commenced trading once again under a different name. The latest change is designed to stop the law being abused in this way.

Of the £17.8 million in fines handed out by the ICO between 2010 and April 2018, only £9.7 million was recovered.

Hence it is now possible for the ICO to issue a fine against a director of any company that breaches this law. Even if the firm itself is placed into liquidation, the director can still be pursued for the fine. The ICO says it will act against a senior officer of a firm if the breach “took place with the consent or connivance of the officer” or “was attributable to any neglect on the part of the officer”.

The ICO can now issue a fine of up to £500,000 against the firm, and up to a further £500,000 against one or more directors, effectively meaning that seven-figure punishments can now be imposed for breaches of PECR.

Perhaps the latest change in the law cannot have come soon enough, as communications watchdog Ofcom estimates that 3.9 billion nuisance calls and texts were received by UK consumers during 2017.

Digital minister Margot James MP said:

“There is now no hiding place for the small minority of rogue directors who have previously tried to escape justice.

“We are determined to stamp this menace out and this new law is the latest in a series of measures to rid society of the plague of nuisance calls.”

Andy Curry, head of the ICO’s nuisance call enforcement team, said:

“We welcome this amendment to the law, which will increase the tools we have to protect the public.

“It will mean we can recover the fine more easily and also make it much harder for unscrupulous operators to set up in business again.”


The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article




FCA confirms rules for claims companies

New disclosure requirements and an obligation to record telephone calls are amongst the new rules claims management companies (CMCs) will face from April next year when the Financial Conduct Authority (FCA) takes over as their regulator.

All of the significant changes proposed in the summer 2018 consultation paper are included in the new rules.

The requirement to provide a pre-contract summary document remains, and this document must include:

  • An illustration or estimate of the fees to be charged
  • An overview of the services the CMC will provide on a customer’s behalf, and the tasks customers will need to undertake themselves under the arrangement with the CMC
  • A statement to the effect that the customer is not required to use the CMC’s services, and that the same claim can be presented free of charge were the customer not to use the company’s services

The obligation for CMCs to keep customers informed as to the progress of their claim will encompass a requirement to provide updated estimates of potential fees, where appropriate.

Where a customer could pursue a do-it-yourself claim for free, this also needs to be highlighted on any marketing material issued by a CMC that relates to ‘no win no fee’ services. If a company is claiming to offer ‘no win no fee’ services, then marketing material must also give a prominent indication of the fees the CMC will charge, or how they would be calculated.

Another very significant change will be the need for companies to record all calls with customers and keep the recordings for a minimum of 12 months after the end of their dealings with each customer. They must also maintain records of text message and email communications.

Where CMCs purchase leads from third parties, they will need to carry out sufficient due diligence to ensure both that the lead generator is authorised and that it has appropriate systems and processes in place to ensure compliance with relevant data protection, privacy and electronic communications legislation. CMCs will need to keep a record of these checks.

Some additional changes that were not proposed in the consultation, but which will be in the new rulebook, include:

  • An obligation to clarify whether a fee is based on the gross or net compensation figure
  • A requirement to ask customers whether they are in an Individual Voluntary Arrangement, or similar; and to make them aware that any compensation award could be used to settle debts under an insolvency arrangement
  • The need to obtain explicit consent to charge any fees that were not disclosed upfront

It is also worth noting that, in addition to complying with the detailed rules, all CMCs will be subject to the 11 Principles for Business that apply to all firms the FCA regulates. These include Principle 6 – the requirement to treat customers fairly, Principle 7 – the need to provide information to customers that is clear, fair and not misleading, and Principle 11 – the obligation to fully co-operate with regulators.

Although existing CMCs will initially operate under the FCA’s temporary permission regime come April 1, there is no indication from the FCA that there will be any sort of grace period, and the regulator will expect CMCs to be fully compliant with these new rules on the switchover date.

CMCs therefore have a little over three months to prepare for FCA regulation. Any company not prepared to meet the more onerous regulatory requirements will need to leave the industry.

CMCs will need to register for temporary permission with the FCA between January 1 and March 31 2019. They will then need to apply for full authorisation:

  • Between April 1 and May 31 if they are a CMC that handles financial claims, or are a CMC that was not previously regulated by the Ministry of Justice
  • Between June 1 and July 31 for all other companies

Jonathan Davidson, Executive Director of Supervision – Retail and Authorisations at the FCA, said:

“We’re ready to take over regulation on 1 April 2019. The new regime aims to drive up standards in a sector whose reputation has been tarnished by some companies engaging in high pressure selling and by failing to provide clear information on the fees they charge.

“The new rules will ensure firms are transparent about their estimated fees before the customer signs on the dotted line and notify customers of free statutory ombudsmen or compensation schemes. It’s vital that customers have the information they need to make informed decisions. We will take action against those that break the rules.”


The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article


ICO imposes fines for non-payment of fees

More than 1,000 organisations have been fined by the Information Commissioner’s Office (ICO) for non-payment of their data protection fees. The data regulator says that the affected organisations encompass a variety of business sectors, including business services, construction, finance, health and childcare.

These fees must be paid to the ICO by all organisations, firms and sole traders, unless they are exempt from the need to pay. An organisation is only likely to be exempt if it does not carry out any form of data processing. In this case, processing’ means doing any of the following with the information:

  • obtaining it
  • recording it
  • storing it
  • updating it
  • sharing it

‘Personal information’ means any detail about a living individual that can be used on its own, or with other data, to identify them.

The money collected from the fees is retained by the ICO to fund its activities of education, supervision and enforcement. However, the fines go to HM Treasury.

This announcement serves as a timely reminder for all firms to ensure they know when their ICO fees need to be paid by. If an organisation already has a registration made under the Data Protection Act 1998, then it will not need to pay a fee until the date on which that registration expires.

Depending on the size of the organisation, these are the fees payable and the fines that the ICO can impose:

  • Tier 1 (micro organisations, defined as those with a maximum turnover of £632,000 or no more than ten members of staff). Fee: £40 Fine: £400
  • Tier 2 – (SMEs, defined as those with a maximum turnover of £36million or no more than 250 members of staff). Fee: £60 Fine: £600
  • Tier 3 – large organisations (all those not meeting the criteria of Tiers 1 or 2). Fee: £2,900. Fine £4,000

There is a £5 discount for all fee payments by direct debit.

Fines can be increased to a maximum of £4,350 where the ICO considers that there are “aggravating factors.”

Paul Arnold, Deputy Chief Executive Officer at the ICO, said:

“Following numerous attempts to collect the fees via our robust collection process, we are now left with no option but to issue fines to these organisations. They must now pay these fines within 28 days or risk further legal action.

“You are breaking the law if you process personal data or are responsible for processing it and do not pay the data protection fee to the ICO. We produce lots of guidance for organisations on our website to help them decide whether they need to pay and how they can do this.”

The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article



ICO chief speaks on recent issues

Information Commissioner Elizabeth Denham acknowledged that she was “a long way from home” when she gave a recent speech to the International Privacy Forum in Wellington, New Zealand.

However, much that the head of the UK’s data protection watchdog said to her audience would also have been relevant to a British audience.

She began by referring to the recently introduced European Union General Data Protection Regulation (GDPR), and suggested it was now “a catalyst for law reform outside of Europe.”

Ms Denham added that GDPR had resulted in complaints made to the ICO from members of the public more than doubling in the space of six months, and that complaints about subject access, data portability and data security were especially common. She also referred to the increased number of breach reports the Information Commissioner’s Office (ICO) now needed to handle, especially as breach reporting is now mandatory in certain circumstances.

Firms are expected to report data breaches to the ICO within 72 hours if the incident is “likely to result in a risk to people’s rights and freedoms.”  If the breach might expose the affected data subjects to harm or loss the firm will also need to notify each data subject. If a firm decides not to report a breach, it will need to be able to justify this decision, so it should document the reasons for such a decision.

The GDPR and recent high-profile data breaches have certainly made the general public more aware of data protection issues, and when their data may not be being handled appropriately. On this subject, the ICO chief commented:

“As people become more aware, they expect – they demand – greater safeguards and control. The ICO’s research tells us that only one in three people in the UK trust organisations to handle their personal data in line with the law. That’s better than it was, but it’s still not good enough.”

Nevertheless, Ms Denham said that not only must firms adapt to new data protection laws, but her organisation must as well, as she said:

“Now we are moving into a different phase where we engage with UK businesses and citizens differently. We need to be more of a collaborative, inquiring, helpful regulator — working with organisations on data protection impact assessments and codes of conduct. This is ICO 2.0.”

Impact assessments need to be carried out by firms in high-risk situations, for example in the use of new technology or where processing is likely to significantly affect individuals. These assessments must assess all risks that could arise from the change in practice and should consider ways these risks can be mitigated.

Almost inevitably, Ms Denham could not end her speech without mentioning Brexit. However, she emphasised that “whatever happens, the UK government has committed to retaining the GDPR and a strong independent well-resourced ICO.”

The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article


FCA issues its key findings on firms’ pension transfer advice

The suitability of pension transfer advice has been a key area of focus for the Financial Conduct Authority (FCA) for some time. In December 2018, the regulator published more key findings of its recent work in this area.

In 2018, the FCA has collected pension transfer information from 45 firms, which led to further assessment work, including file reviews and visits, on 18 of them. Since April 2015, these 18 firms have advised 48,248 clients on their Defined Benefit (DB) pension schemes, which resulted in 24,919 actual pension transfers.

After the intervention of the FCA, two of these firms voluntarily withdrew from pension transfer advice and a further two varied their business models and surrendered their pension transfer advice permissions. Something like this happening in four of the firms in the sample suggests that the previously identified failings remain fairly widespread across the sector.

The FCA continues to report that less than 50% of the transfer advice it sees is suitable. 48.1% of cases were classed as ‘suitable’ by the FCA, with another 29.2% being ‘unsuitable’ and the remaining 22.7% being ‘unclear’. Noting that across all products, the FCA believes that more than 90% of advisers’ recommendations are suitable, the regulator says:

“It is unacceptable that pension transfer advice should persistently remain at such a low level in comparison to investment advice.”

Of the 32 cases from the four firms which either varied or surrendered their permissions following the FCA intervention, only one of these 32 was deemed to be a suitable recommendation.

Whether or not they have fallen under the FCA’s radar in 2018, all firms giving transfer advice are urged to respond to the issues raised:

“We expect firms to take prompt action on our findings and to check that their business model and advice processes do not exhibit similar failings. Firms should review their risk management approach and controls to ensure that they are effective in mitigating potential harm to customers.”

The FCA adds that although its 2018 activities may have focused on 45 firms, every firm with permission to advise on defined benefit pension transfers has now received some sort of data request from the regulator. This will most certainly remain an area of focus for the FCA in 2019 and beyond.

Areas the FCA remains concerned about include:

  • Senior management not understanding the risks involved with transfer business
  • Firms failing to adequately monitor their transfer advisers and specialists
  • Advisers failing to obtain enough information about clients’ needs and personal circumstances
  • Advisers not making an adequate assessment of a client’s risk tolerance
  • Firms using generic justifications for a transfer, such as saying it was “the client’s objective to take control of their pension.”
  • Advisers failing to take proper account of the client’s desired retirement age
  • Advisers failing to consider the client’s actual current state of health, and instead relying on standard mortality statistics to predict life expectancy
  • Firms writing long suitability reports with unclear recommendations
  • Firms overstating the benefits of transferring and downplaying the risks

Finally, the latest report warns of possible enforcement action for firms that fail to comply:

“We will not hesitate to take action against any firm that continues to present harm to consumers.”

The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article



MOJ issues third quarter CMC enforcement bulletin

The Claims Management Regulator at the Ministry of Justice (MoJ) has issued its enforcement bulletin for the period July 1 to September 30 2018. This is of course one of the last such bulletins that the MoJ will issue, as the Financial Conduct Authority (FCA) takes over as claims management regulator on April 1 2019. The bulletin actually makes no mention of the impending FCA handover and instead concentrates on the actions the MoJ has been taking against claims management companies (CMCs).

Between July and September 2018 the Regulator conducted 79 audits and 77 company visits. This resulted in it cancelling the licences of 29 CMCs and warning 43 more. Three more investigations commenced during the three-month period.

Although recent FCA data has suggested that more and more consumers are pursuing payment protection insurance (PPI) claims on a DIY basis, the bulletin still says that PPI is “the most active claims area in the financial claims sector.” As the end of its period as claims regulator ends, the MoJ says it continues to monitor PPI CMCs in areas such as: client acquisition and sales, client paperwork, claims processing, complaints handling and other processes and systems.

The regulator adds that it has seen no evidence so far of any CMCs breaching the recently introduced ban on the charging of upfront fees for PPI claims. However, it adds that it is also monitoring compliance with the new 20% fee cap, and specifically whether CMC’s contractual information and marketing material reflect this cap. Eight CMCs were identified for follow up work and one was issued with a formal warning.

On the subject of personal injury, holiday sickness and housing disrepair claims, the MoJ is focused on enforcing compliance with: the referral fee ban, rules on marketing and how CMCs engage with clients. The bulletin says that eight formal warnings have been issued as a result. Once again, the MoJ’s enforcement bulletin highlights “the identification of CMCs involved in suspected fraudulent and other criminal activity” in this claims arena.

Three more warnings were issued to CMCs regarding nuisance calls and texts. It was also in this area that the MoJ partially won an appeal made by a CMC against its enforcement action, although the level of fine was reduced. The punishment was imposed after the MoJ concluded that the company had made contact with 65 consumers who had registered with the Telephone Preference Service, and that the company was unable to demonstrate that it had received the necessary consent for those contacts.

The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article


FCA director speaks on cyber and tech resilience

The issue of cybersecurity and other technological threats is seemingly one that will never go away, and no financial services firm of any size, in any sector, can afford to neglect the issue.

Megan Butler, Executive Director of Supervision – Investment, Wholesale and Specialists at the Financial Conduct Authority (FCA), spoke on this issue when she addressed a Bloomberg conference in November 2018.

Her speech began with a warning that, while new technologies bring new opportunities, they also bring new threats. She said this was “a fundamental challenge” for her organisation. Nevertheless, she added that the FCA was harnessing technology, for example it is using new technological tools to detect market abuse, and that Project Innovate is an initiative that encourages firms to develop new technology.

Next, Ms Butler highlighted how technology-related issues are becoming a greater risk within financial services. In the year to October 2018, the number of technology outages reported to the FCA by authorised firms rose by 138% when compared to the previous 12 months. 18% of all the reports concerned cyber incidents. She added that she believed the true extent of the problem was still being under-reported.

However, she did re-assure her audience that the FCA accepts that incidents will sometimes occur, and that firms cannot realistically foresee and prevent all episodes. Here, the FCA director commented:

“The FCA does not expect ‘zero-failure’, a point that is explicitly in July’s FCA and Bank of England paper on operational resilience. In that we talk about setting ‘impact tolerances’ and the ability of firms to ‘recover and learn from operational disruptions.”

However, she did say that “the FCA is deeply concerned that the number of technology incidents reported to us has increased, with many outages linked to re-platforming and outsourcing failures.” Many of these episodes have been high-profile failures involving the major banks. Ms Butler added that “a lot of firms seem overly confident about their ability to manage flagship IT change programmes and keep their systems up to date.”

The next section of the speech included some useful tips on how firms can minimise the chance of technology problems. These included:

  • Use of simulation exercises
  • Comprehensive internal training
  • Engaging external support to complement existing internal IT functions
  • Focusing on the continuity of a firm’s most important business services
  • Putting back-up plans in place should an incident occur
  • Ensuring the directors and senior management are actively involved in technology risk planning, and that the issue is not just left to the IT department
  • Ensuring the long-term interests of customers are protected

In turning to the issue of cyberattacks, Ms Butler added a note of optimism. She listed a number of large firms who have recently fallen victim to significant cyberattacks and noted that there were few financial services firms in her list.

However, she was less positive when she said that it was “a major concern that a lot of firms still seem to be trying to get the basics right on cyber.” In this section of the speech, the FCA director told her audience that:

  • A third of firms do not perform regular cyber assessments
  • Almost half of firms do not upgrade or retire old IT systems in time
  • Only 56% of firms are confident they can measure the effectiveness of their information asset controls

The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article



Insurance broker has permission cancelled for failing to pay FOS award

The Financial Conduct Authority (FCA) has confirmed that an Oxford-based insurance and credit broker has been stripped of its permission to operate in the financial services arena. This comes after the firm failed to pay a compensation award that it was requested to pay by the Financial Ombudsman Service (FOS).

The firm is now in liquidation, so it could be argued that the FCA’s action will have no practical impact. However, all authorised firms need to be in no doubt that the regulator would impose its most serious sanction should a firm fail to pay even one FOS award to a customer. Firms can appeal a decision made by an FOS adjudicator to an ombudsman within the FOS, but if the Ombudsman finds against them, they have no further right of appeal, save for taking the matter to a judicial review, and must pay the compensation award even if they continue to dispute the decision.

In this case, the firm unsuccessfully appealed to the Tribunal to have their ban set aside. However, their submission simply explained why it believed that the FOS decision was unfair, and the FCA has no power to overturn an FOS decision.

The FCA’s Final Notice says:

“It appears to the Authority that [name of firm] is failing to satisfy the suitability Threshold Condition, in that the Authority is not satisfied that [name of firm] is a fit and proper person having regard to all the circumstances. [name of firm] has failed to satisfy the Authority that it is conducting its affairs in an appropriate manner, having regard to the interests of consumers. Specifically, [name of firm] has failed to comply with the FOS Award made against it on 17 December 2014, despite repeated requests by the FOS and the Authority that it do so.”

A client of the firm, referred to as Ms B, made a complaint to the FOS about the sale of a Professional Let Home Insurance Policy, a specialist landlord’s insurance policy. The crux of her complaint was that the broker had failed to highlight important exclusions in the policy terms. These exclusions allowed the insurer to refuse her claim, made following a break-in, on the grounds that there was no liability for theft and malicious damage during periods where the property was not furnished for normal habitation. At the time of the break-in, the property was being redecorated at the end of a tenancy.

The FOS upheld Ms B’s complaint and directed the firm to pay Ms B the value of her claim, with additional interest calculated at 8% per annum. Ms B accepted this FOS decision.

The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article


FCA publishes new ‘approach to authorisations’ document

In November 2018, the Financial Conduct Authority (FCA) issued a new version of its ‘approach to authorisations’ document.

The document begins with a statement of what the regulator expects from the firms it authorises:

“Every day the UK population relies on a range of financial services, from basic bank accounts to car loans, mortgages, pensions and complex investment products. Consumers need to have confidence in these services and the firms and individuals that provide them. They expect the market to be fair, open and competitive. They also have high expectations of those who regulate these firms.”

The FCA describes the principal purpose of its authorisation regime as being the prevention of harm to consumers, by saying:

“We seek to prevent harm by ensuring that all regulated firms and individuals meet our minimum standards. For firms that wish to be authorised or approved under the Financial Services and Markets Act 2000 (FSMA), the minimum standards are the Threshold Conditions and for individuals it is the Fit and Proper test.”

As an example, the regulator cites the example of debt management firms. On commencing regulation of this sector in 2014, the FCA was concerned by the high volumes of complaints these firms were receiving, and by the fact that so many of their clients were “vulnerable” in some way. The FCA says that:

“As a result, we required more information and evidence from these firms at the point of authorisation, to establish that they met our minimum standards, than we did from others that posed a lower risk to consumers.”

The document adds that many debt management firms left the market as the FCA refused their authorisation applications. The regulator was forced to enter into agreements with the Money Advice Service, and with debt management trade associations, to ensure that customers of these firms were not disadvantaged.

Tools that the FCA says it may use when assessing applications from firms and/or individuals include:

  • Information provided in the application
  • Market research and intelligence
  • Calls to the FCA Contact Centre
  • Complaints data
  • The FCA’s experience of supervising similar firms
  • Interviews with the individual / key individuals from the firm

Specifically regarding the authorisation of individuals, the document says the FCA also considers:

  • The individual’s employment and regulatory history
  • Whether they have been involved in misconduct, or any criminal activity or adverse civil proceedings

Prior to making an authorisation application, a firm or individual needs to prepare effectively. Here, the document advises:

  • Looking at relevant information on the FCA website
  • Making enquiries to the FCA’s Contact Centre
  • Seeking legal advice and advice from a compliance consultant
  • Ensuring they are able to clearly articulate their regulatory obligations

Once an application has been submitted, the FCA advises firms to remain available to answer any queries, or provide any additional information, that the regulator requires.

The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article

Posts navigation