4.3.4 Data protection
One inevitability of financial services business is that firms will gather a considerable amount of personal data about their customers – much of it relating to their financial status and to the location of their assets (e.g. their bank accounts). The risk is that this could fall into the wrong hands and be misused to the customer’s disadvantage.
The importance of data protection applies widely in economic and social life, and does not just relate to financial services activities – although the potential for financial loss through poor data protection is arguably greatest in the arena of financial services.
Regulations about the way financial services firms are governed by the Data Protection Act 2018. This has replaced the regulatory framework laid down by the Data Protection Act 1988 and it represents the UK’s implementation of the European Union’s General Data Protection Regulation (GDPR).
The guiding data protection principles that apply are that all information held by firms must be used lawfully, fairly and transparently. Additionally the information gathered must be both accurate and limited only to what is necessary. All information must be held securely. The 2018 Act also provides stronger legal protection in respect of sensitive information about such matters as ethnicity, political views, religious opinions, health and sexual orientation.
So what rights do people now have under the 2018 Act?
There is the right to find out what information is held about you. This includes the right to:
- be informed about how your data is being used
- access your personal data
- have incorrect data changed
- have data erased
- stop or restrict the processing of data
- allow the portability of data (e.g. its reuse for other services)
- object to how your data is used in certain circumstances
- approve use of your data for profiling activities (e.g. predicting your interests).
If you wish to find what information about you a firm holds you need to contact their Data Protection Officer (DPO). If you are not sure who this is then address your communication to the company secretary. Under normal circumstances the details of the data held must be provided within a month.
If you have a complaint about the information that is being held or about how it is being used the matter should be taken up with the Information Commissioner’s Office (ICO) ().
The Information Commissioner has the responsibility for ensuring that the regulations laid down by GDPR and the Data Protection Act 2018 are being applied appropriately.