I’m sure you’re fed up of hearing about the potential implications of Brexit and the FCA’s recent call for input on crowdfunding (if not, I’d be happy to discuss!), so I thought I would look ahead to see what other regulatory delights await regulated firms in the alternative finance space.

 

General Data Protection Regulation

The one which stands out is the new General Data Protection Regulation (EU) 2016/679 (“GDPR”). In this increasingly data driven world, data is becoming ever more valuable. But every valuable commodity must be treated with care and data, the 21^st century’s “oil”, is no exception.

 

The GDPR is due to come into force in May 2018 and, as an EU regulation, it will be directly applicable to all EU member states, meaning that there will be no need for member states to implement it.

 

But we are Brexiting – I don’t care!

Irrespective of when the UK will officially leave the EU as a result of Brexit, the GDPR will inevitably be very relevant to UK businesses, including firms regulated by the FCA. The GDPR will indeed apply in the event that the UK joins the EEA but even if this does not happen, UK businesses that do business in the EU will nevertheless have to comply with its provisions.

 

But the regulation has no teeth, right?

Wrong! The consequences of not complying with the GDPR will be harsh. Under the new regime undertakings risk being fined up to 4% of their total worldwide annual turnover or Eur. 20,000,000 (whichever is higher) for breach of the more serious requirements under the regulation.

 

What are the most significant changes

Here are some of the most significant changes to data protection law that we will be seeing:

 

1. Data subjects will have to “explicitly” give their consent to the processing of their personal data. This will require a clear affirmative act such as a written statement - silence or inactivity will not constitute valid consent. Instead, express consent (e.g. by ticking boxes when visiting websites or similar methods of authorisation) will need to be sought to ensure that the data subject is aware that he or she is consenting to the processing of personal data.
2. The GDPR will impose an obligation on data controllers to assess privacy risks from the early stages of any project (“privacy by design”). Data controllers will be required to keep their personal data activities at a minimum in terms of volume of data collected and the amount of time it is stored. This will impact data-driven businesses.
3. ‘Profiling’ will be limited under the GDPR. Profiling refers to the automated processing of personal data (typically used to predict consumer behaviour). Data subjects will have a right not to be subject to a decision based solely on profiling. Profiling will only be allowed if, for example, it is either required by law, consented to by the data subject or necessary for the performance of a contract. This will be particularly relevant for consumer lending platforms who rely heavily on data-driven lending decisions.
4. The GDPR will introduce the concept of “data portability”, that is the right of data subjects to obtain their personal data from data controllers in a structured and commonly used format so that it can be transferred to another data controller. Again, this may be an interesting challenge for consumer credit platforms that create a large amount of data about their customers.

 

Data breaches

New reporting obligations will also be introduced. Data controllers will have to notify breaches of personal data to the ICO/FCA without undue delay and, where feasible, within 72 hours of becoming aware of such breach. A well-developed data security policy incorporating an incident response plan is therefore highly recommended.

 

Will I need to designate a data protection officer?

Given the potentially onerous obligations created by the GDPR, the further new requirement for certain data controllers and processors to designate a data protection officer within their organisation comes as no surprise. Appointing a data protection officer would in any event be the most sensible course of action for large organisations and firms that process large volumes of data. However, this requirement may also affect smaller companies that process large volumes of data and come as a significant additional cost to such businesses.

 

Next steps

Companies that routinely process data as part of their day to day activities should really start to think now about how best to ensure that they have systems, procedures and personnel in place to comply with the new regulation once it comes “live” in May 2018. This is especially so given the potentially adverse financial (and reputational) consequences that breaching the GDPR could lead to.   

 

__________

 

Jonathan Segal, Partner at Fox Williams LLP

 

Jonathan is a partner in the FinTech and Alternative Finance team at Fox Williams, a City-based Law Firm. He advises clients across the FinTech and Alternative Finance spectrum, from start-ups disrupting existing markets with innovative technology to financial institutions looking to invest in new technology.

 

He has particular expertise in peer-to-peer and crowdfunding platforms, drawing on his extensive experience in the banking and finance sector gained both in-house at major financial institutions and in private practice. His experience spans a variety of financial products, including loans (both corporate and consumer), real estate and development finance, asset-based lending, receivables financing, asset finance, trade finance, capital markets, derivatives and repos. A regular speaker at industry events both at home and abroad, Jonathan is also heavily involved in next generation disruptive financial products such as virtual currencies (including Bitcoin), blockchain technology and the use of Big Data in financial predictive analytics and disruptive insurance models.

 

Fox Williams LLP are experts at advising entrepreneurs and FinTech businesses. For more information as to how Fox Williams can help you (including arranging a free consultation) or for further information on the issues discussed in this article, please liaise with either  or .