Warning: Jersey’s financial advisers and firms should get set for ‘huge’ data breach fines
Jersey and Guernsey-based financial services firms and financial advisers that hold too much personal information about their clients could face massive fines or be sued by their customers from next year, compliance experts have warned.
In May 2018, the EU’s General Data Protection Regulation (GDPR), which aims to strengthen data protection for EU citizens, is due to come into force. Under the new rules firms face fines of up to €20m euros (or four per cent of their worldwide turnover), if they breach the regulations, according to compliance consultants Comsure, speaking in an interview in The Jersey Evening Post.
From May 2108, all organisations – from multinational companies to charities – will need to ensure that the personal data they store is secure, not held for “longer than necessary” and is not excessive to their business requirements.
Personal information held on social media will also be more strictly protected and individuals will have greater rights to access their personal data and will have the right to know if it is being held by a company.
Social media fines?
Mathew Beale and Marc Allenet of compliance consultants Comsure said in an interview with The JEP that the GDPR ruling – which will apply to Jersey – could mean that common practices like looking up the personal details of finance clients or viewing a potential employees’ personal details on Facebook could even become illegal.
Beale said that the new regime could also conflict with other regulations such as those that have been implemented by the Jersey Financial Services Commission, which requires finance firms to carry out strict background checks on their clients as part of its anti-money-laundering rules.
“In financial services the case has been the more information you hold about your clients the better,” said Beale. “But with GDPR it will be the opposite – it’s the case that the less personal information you hold the better.
“And you could in future find yourself in trouble for looking up someone on Facebook or LinkedIn, if they find your digital footprint on their profile.”
Beale said that it was yet to be determined in what circumstances Jersey’s finance laws or GDPR would be in conflict with each other and which would take precedence. In specific cases some parts of the Jersey law has “not been written yet”, he said.
The additional scrutiny of data will cause concern for financial services companies and advisers, many of which complain that they are already over-burdened by regulation as things stand.
“It might take a few cases before we know where we are exactly,” Beale told The JEP.
“There are three areas of law where you can fall foul – regulations, criminal law and civil cases. For financial services, civil cases are a particular issue because they have very wealthy clients. If you are going to sue someone, you need money and a lot of the people that finance deal with, do.”
Data hosting protection
Marc Allenet, who works with Beale at Comsure added: “There are data hosting services which can help protect people from GDPR but it won’t protect them entirely.’
He added, however, that GDPR could be an opportunity for Jersey to sell tself as a well-regulated jurisdiction, if it is well-prepared in advance.
Furthermore, Jersey’s financial advisers have also been warned separately, that they could also face heavy fines in future if they are found to be carrying out inappropriate market conduct, according to local reports.
(…continued on page 2)