Recent enforcement decisions of the Isle of Man Financial Services Authority may be a cause of nervousness to many looking to get their own house in order, while in contrast the penalties issued by the Isle of Man Information Commissioner over the last few years have predominantly been to government departments, so you might start to think data protection isn't something you really need to worry about anymore – but GDPR has not gone away and regulatory obligations must be met within the framework of data protection by design and by default.
This article considers data protection compliance in the context of financial services regulatory compliance.
FUNDAMENTAL PRINCIPLES OF DATA PROTECTION
The data protection principles set out at Article 5 of the GDPR as applied to the Isle of Man (Applied GDPR) are fundamental to every decision, action and process which may use personal data.
Personal data must be:
- Processed lawfully, fairly and in a transparent manner in relation to the data subject – Lawfulness, fairness and transparency
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes – Purpose limitation
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed – Data minimisation
- Accurate and, where necessary, kept up to date – Accuracy
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed – Storage limitation
- Processed in a manner that ensures appropriate security of the personal data – Integrity and confidentiality
Controllers are responsible for, and must be able to demonstrate compliance, with these principles – Accountability.
Processing is only lawful if at least one of the following grounds applies:
- the data subject has given consent to the processing of their personal data for one or more specific purposes;
- the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at their request to enter into a contract;
- the processing is necessary for compliance with a legal obligation to which the controller is subject which is laid down under either EU law (as applied to the Isle of Man) or under Manx law;
- the processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
For example, an independent financial advisor (IFA) regulated by the Isle of Man Financial Services Authority is required to obtain information about its client in order to (1) satisfy the IFA's obligations under the AML/CFT Code, (2) find out about the client's lifestyle and risk appetite to satisfy requirements of the Financial Services Rule Book, (3) provide the client with investment advice and (4) correspond with the client.
There are lawful grounds for the IFA to collect data about the client (full name, address, source of funds, occupation...) as the IFA has a legal obligation to do so and also because it is necessary in order to perform a contract with the client. However the IFA does not have a lawful basis for asking the client their shoe size, for example, or to start using this data for other purposes.
SPECIAL CATEGORIES OF PERSONAL DATA
In order to lawfully process special category data, you must identify both a lawful basis as above and a separate condition for processing under Article 9 of the Applied GDPR. Note in particular that 'legal obligation' only applies in respect of employment, social security etc., and 'performance of a contract' and 'legitimate interests' are not available grounds where the personal data is special category data.
The special categories of personal data are data revealing: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.
You may be able to rely on one of the following potentially relevant grounds:
- Where the personal data is manifestly made public by the data subject – the personal data must have been made public by the data subject themselves and must be realistically accessible by members of the public.
- Where the processing is necessary for the establishment, exercise or defence of legal claims – this includes actual or prospective proceedings.
- Where the processing is necessary for reasons of substantial public interest (based on Manx law or EU law applied to the Island) which is proportionate to the aim pursued, respects the essence of the right to data protection and provides specific measures to protect the fundamental rights and freedoms of the data subject.
If relying on this ground you must also meet one of the "substantial public interest" grounds set out at Part 2 of Schedule 2 to the GDPR and LED Implementing Regulations 2018 (as amended), which include where the processing is necessary for the purposes of the prevention or detection of an unlawful act, or to comply with the requirements of AML/CFT legislation or for certain insurance purposes.
Where you are required by a regulator to collect or share special category personal data, you will need to consider which lawful ground applies for that sensitive personal data and document your decision making. You must also complete a data protection impact assessment if the intended processing is likely to result in a high risk to the rights and freedoms of natural persons and if you intend to process special category data on a large scale.
Any processing of personal data relating to criminal convictions and offences can only be carried out under the control of official authority or when the processing is authorised by EU law (as applied to the Isle of Man) or Manx law providing for appropriate safeguards for the rights and freedoms of data subjects. This will include where processing necessarily falls within the scope of obligations imposed under AML/CFT legislation, but appropriate safeguards must be in place.
FAIRNESS AND TRANSPARENCY
Processing of personal data must always be fair as well as lawful. Just because you can do something, does not necessarily mean that you should.
Fairness means that you should only handle personal data in ways that people would reasonably expect and not use it in ways that have unjustified adverse effects on them.
Before collecting or sharing personal data to meet a regulatory obligation, you must consider what possible harm this may have on the data subject, for example whether there are appropriate security systems in place and whether that data could be used for nefarious purposes. You must consider whether the data subject would reasonably expect their data to be used in this way, which will be easier to demonstrate if they have been told about this in a transparent way.
Transparency requires being clear, open and honest with people from the start about who you are, and how and why you use their personal data. Keep regulatory obligations in mind when writing and reviewing privacy notices and ensure this purpose (and its legal basis) is clearly set out in your privacy notice.
CHANGE OF PURPOSE
If personal data collected for one purpose (eg. administering a client relationship) is then used to meet a new obligation (such as inclusion within a report to the regulator), the data will be processed for a new purpose.
Under the principle of purpose limitation, personal data must be collected for specified, explicit and legitimate purposes, and only further processed in a manner that is compatible with these purposes. You will need to assess whether the further processing is compatible with the reason the personal data was obtained in the first place.
You must tell data subjects about the new purpose within a 'reasonable period' before the processing of their data for the new purpose – the more intrusive the processing, the longer the time period between giving notice and processing should be. This may not be necessary if the purpose was already identified in your privacy notice.
You must also consider whether a data protection impact assessment is required, and also update your records of processing.
Things become even more complicated if the regulatory obligation involves a transfer of personal data overseas, with an additional layer of rules to consider.
Transfers to EEA jurisdictions or jurisdictions with an adequacy finding made by the European Commission (including the UK, Jersey and Guernsey) are generally unproblematic, but for other jurisdictions (or 'third countries') you must consider whether another prescribed means of safeguarding that personal data exists. Often when transferring personal data to a person in a third country the Standard Contractual Clauses approved by the European Commission are used, but if the transfer is to a regulator it may not be practical to enter into a contract with them.
Things are even more complex now following the judgment in Schrems II, and before you rely on an appropriate safeguard to make a restricted transfer, you must be satisfied that data subjects will continue to have a level of protection essentially equivalent to that under the Isle of Man data protection regime. This will mean a risk assessment taking into account the protections contained in that appropriate safeguard and the legal framework of the destination country (including laws governing public authority access to the data).
A detailed look at the further grounds for transfers overseas is beyond the scope of this article, but please keep in mind that it may not always be possible to find an appropriate safeguard. Transfers overseas are tricky, and becoming increasingly so with developing case law and jurisdictions introducing their own versions of contractual clauses.
A regulatory request or obligation does not override data protection considerations – you still need to go through the process of identifying the legal grounds for processing personal data, ensuring fairness and transparency, assessing any new purposes of processing, appropriately safeguarding transfers overseas, notifying data subjects where applicable and maintaining records of processing and decision making.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.