Blogs

Big Ben and the House of Commons

The Data Protection Bill – What do I need to know?

Blogs, Data Protection, Legal Compliance /

 

The draft Data Protection Bill [HL] 2017-19 will get it’s second reading in the House of Commons today, Monday 5th March 2018, moving one step closer to receiving Royal Assent.  In preparation for the second reading, the House of Commons issued a 60-page briefing paper which includes a summary of the Bill and the House of Lords debates[1].

In May 2018, as we all know, there will be some changes to the EU’s data protection framework – the General Data Protection Regulation (GDPR) will apply from 25th May and as it is a Regulation it does not need to be transposed into domestic law.  But prior to that, the Police and Criminal Justice Directive, also known as the Law Enforcement Directive (LED), needs to be transposed into UK law by 6 May.

GDPR

GDPR widens the scope of the previous Data Protection Directive, (which was the EU legislation that unpinned the Data Protection Act 1998), to provide data subjects with greater protection for their personal data and also extends data subject rights.  The Regulation reduces the principles from 8 to 6, but introduces 8 data subject rights, some of which are a continuation of rights under previous legislation, (like subject access requests), but some are new.  Data controllers must be able to demonstrate compliance with all the principles (accountability) and there are new obligations for data processors.

LED

The LED will apply to both the cross-border and domestic processing of personal data for law enforcement purposes and repeals the previous 2008 Framework Decision.  The Directive is designed to protect the personal data of individuals involved in criminal proceedings, whether they are witnesses, victims or suspects.  In addition, it is anticipated that the LED will “facilitate a smoother exchange of information between Member States’ police and judicial authorities, thereby improving cooperation in the fight against terrorism and other serious crime in Europe.[2]

An overview of the LED can be found here.

Council of Europe Convention on Processing Personal Data

The Council of Europe is not an EU institution and the UK will continue to be a member after Brexit.  The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No108) was the first binding instrument on data protection.  The UK ratified the Convention in August 1987 and it entered into force on 1 December 1987:

“[The Convention]…protects the individual against abuses which may accompany the collection and processing of personal data and which seeks to regulate at the same time the trans frontier flow of personal data.”[3]

The Convention will be modernised and will reflect the same principles as GDPR.  A draft version is available online https://www.coe.int/en/web/data-protection

The Draft Bill

The draft Data Protection Bill (‘the Bill’) has a number of purposes:

  • It sets out how the UK would apply the derogations available under GDPR

  • It will bring the Law Enforcement Directive (LED) into UK law

  • It updates the laws governing personal data processing by the intelligence services

  • It aims to ensure that the UK would be able to freely exchange data with the EU post-Brexit

  • It will repeal the Data Protection Act 1998

The Bill was originally introduced into the House of Lords on 13th September 2017, but it’s passage has been slow due to a number of concerns around the age of consent for children to have access to information society services, immigration control and freedom of expression in journalism.

GDPR allows Member States a limited number of derogations, and following consultations in 2017, the Government confirmed it would exercise those derogations in the following areas:

  • The age of consent for children to access information society services

  • Processing criminal conviction and offence data

  • Automated individual decision-making

  • Freedom of expression in the media

  • Research

The Bill was introduced to the House of Lords on 13th September 2017 and following much debate it was introduced to the House of Commons on 18th January 2018.

The Department for Digital, Culture, Media and Sport (DCMS) factsheet provides a succinct summary of what the Bill will do –

The Bill is split into seven Parts and eighteen schedules:

  • Part 1: Bill overview and definition of key terms
  • Part 2: General data processing in line with GDPR and other general data processing in areas outside the scope of EU law
  • Part 3: LED and law enforcement processing
  • Part 4: Nation Security Processing through a modernised Council of Europe Convention
  • Part 5: Functions and Duties of the Information Commissioner – including requirement to publish codes of practice of data sharing, direct marketing, age appropriate design for online services likely to be accessed by children
  • Part 6: Enforcement regime and ICO Powers
  • Part 7: Various issues including regulation to be made under the Act, penalties for offences and the Act’s territorial application

The Briefing Paper also includes a summary of the House of Lords debates for those who are interested in reading more http://researchbriefings.files.parliament.uk/documents/CBP-8214/CBP-8214.pdf which the full debate transcripts are available of the House of Lords website.

So, for those of you using the 80 days (inc weekends and bank holidays) to prepare for GDPR what does this mean?  Well, if you don’t carry out any national security or law enforcement processing then your GDPR preparations will stand you in good stead, although you may want to glance at the draft Bill and specifically the section around the Information Commissioner and Enforcement.  If you do carry out national security or law enforcement processing, then you have probably already been preparing for the changes under the LED but you will need to familiarise yourself with the Parts of the Act that are relevant to you.  Everyone will need to monitor the Governments Brexit negotiations, as once we leave the EU the UK will be a ‘Third Country’ and there may be additional requirements to enable the transfer of data between the EU and member states.

Get in touch

If you need further advice, find out more about our Ask Teal service, or simply contact one of our helpful experts today.

 

 

[1] https://researchbriefings.parliament.uk/ResearchBriefing/Summary/CBP-8214#fullreport

[2] European Commission, Questions and Answers – Data protection reform packages, 24 May 2017 – http://europa.eu/rapid/press-release_MEMO-17-1441_en.htm

[3] https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/108

The Data Protection Bill – What do I need to know? Read More »

two large skyscraper buildings

AML – the size and nature test

Anti-Money Laundering, Blogs, Legal Compliance /

 

Regulation 21 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 requires that a firm which is regulated, implements internal controls where appropriate to the size and nature of the firm.

These controls are:

  1. Appoint a person to be responsible for compliance with the regulations
  2. Screen relevant employees, both before the appointment is made and ongoing thereafter
  3. Establish an independent audit function

So, what should the ‘controls’ look like and what is the appropriate ‘size and nature’?

Controls

In my experience, in legal services we don’t have many controls in place. Our colleagues in other industries, such as financial services have lots. A control exists to check the efficacy of a policy and procedure. By way of an example, I am betting your firm has a confidential waste policy, “you must not put client information or confidential data in the normal waste paper bin”. You will have a procedure which says “You must put confidential waste in the bin for confidential shredding”. Very few firms however have a control which says “we will check the waste paper bins weekly to ensure that no confidential data has been put in there”.

It’s great to have policies and procedures, but we usually only find out if they are effective when something goes wrong, by which time it’s too late to avoid the damage that the policy and procedure was designed to avoid.

The Regulation 21 controls are designed to make sure you have someone who is tasked with making sure that the regulations are complied with, we have people who know how to comply with them, and that we check that they are working.

Size and Nature

Implementation of these controls depends on the size and nature of the firm. When we were drafting the guidance at the Money Laundering Task Force we grappled with how does a firm decide on the size and nature. It’s not an easy thing to define. The Legal Sector Affinity Group decided on:

Factors you may consider when determining whether it is appropriate to apply those controls include:

  • The number of staff members your practice has

  • The number of offices your practice has and where they are located (including whether your practice has overseas offices)

  • Your client demographic

  • The nature and complexity of work your practice undertakes

  • The level of visibility and control that senior management has over client matters

(taken from the draft Legal Sector Affinity Group Guidance).

Sole practitioners who do not employ any staff are not caught by this by virtue of regulation 21(6).

In practice, I think firms will have appointed their COLP as being responsible for compliance (which is arguably already their job by virtue of the SRA authorisation rules). I think firms will be obtaining references for new staff, at times carrying out more rigorous criminal records type checks, and will be thinking about testing staff understanding after training courses.

I think less straight forward is establishing whether a firm needs an independent audit function. My personal view, (rather than of the Law Society) is that a firm does not have to be very big in order to be required to do this. Take this example, a firm that has about 50 people, across 2 offices, with all the staff collecting and recording their own due diligence, and lawyers making decisions about what sorts of inquiries to make regarding the purpose and nature of the transaction. Does the MLRO know that his policies are adhered to and are effective? If, hand on heart, he would say no, an audit would give him that visibility. The mischief the control is trying to get at is to ensure that the firm knows if the Policies, Controls and Procedures they have in place are working.

So if you decide you are the size and nature to need an independent, who is going to do it?  Do you have staff the with requisite knowledge and capacity to carry out the audit? Are they able to acting independently? I think that resourcing alone would be a struggle for many of the smaller firms, and indeed a fair few of the larger firms, who might have an audit function, but without the necessary experience in AML.

An audit should include review of the policies and procedures, interviewing staff and reviewing files and accounts processes to ensure that the policies and procedures are deployed correctly.

Help

With that in mind, we have put together a package of support for firms who can’t resource their audit internally. We can:

  • Review existing policies and procedures, including firm and matter risk assessments

  • Carry out on site review of systems, policies and procedures

  • Interview staff members to test understanding

  • Provide feedback of observations and recommendations for improvement

In addition we can help

  • Rectify policies and procedures

  • Develop controls to ensure constant visibility as to compliance

  • Provide tailored in-house training to all staff members to embed learning

  • Provide ongoing support and monitoring

Get in touch

If you are still unsure how the AML size and nature test applies to your firm, get in touch with one of our experts today.

AML – the size and nature test Read More »

Pinboard with a note pinned on saying "What's your goal?"

What are your compliance goals?

Blogs, Legal Compliance, Risk Management /

 

At the start of 2018 most us will have sat down and set personal new year resolutions. There are two questions I would ask:

  1. How many of those resolutions are you maintaining?

  2. Out of those resolutions, were any of them business focused?

Whether you are the decision maker in the firm or an employee it is always good to have goals to focus on.  Compliance underpins both the individual and firm wide goals, without it you are almost certainly not going to succeed.

At the very least whilst you may think you are succeeding without compliance, it will only take one complaint that leads to a negligence action or a rogue fee earner that will bring the walls tumbling down.  The foundation of any law firm is Compliance – how good would it be to achieve all your goals and sleep at night without the worry of “what if”?

Even in the most compliant firms partners will still at one time or another have that feeling of something going wrong, usually in the middle of the night.  At Teal we are here to make sure that those 3.00am wake up calls are few and far between.

Prevention is better than cure and sometimes the not knowing how to deal with something is far worse than the issue itself.

If you were building a house or a block of flats, you would not do so without the appropriate planning permission or foundations.  Building a block of flats on the same foundations as a single or double story house is a risk that we can all see.

You may not be able to see the risks in your own firm, which is where Teal can assist.  We know what to look for, how to deal with the warning signs and put systems in place.  We will set goals for you which we know you will be able to achieve.

Compliance is not about setting people up to fail, it’s about being realistic in training your staff, so they know what to look out for and question.  It’s about being preventative and having the knowledge of what is truly happening in your firm.  Not turning a blind eye because that fee earner bills a higher amount.  It’s about the culture and fit of the employees within your firm.  It’s your integrity, ethics and your reputation.

So, if we were to look at your compliance goals – what would they be?

Get in touch

We can help you achieve your compliance goals through a range of services we have to offer. Simply get in touch with one of our experts today to find out more.

What are your compliance goals? Read More »

What’s a DPO and does my business need one?

Blogs, Data Protection, Legal Compliance /

 

A ‘DPO’, or Data Protection Officer is the person in a business who has been appointed to deal with all data privacy related matters.  Under the current Data Protection Act there are no mandatory requirements to appoint a DPO, although some businesses that process a high volume of data may have someone in that role already.

There has been a lot of confusion over the last few months about whether the implementation of GDPR [1] (on 25th May 2018) or the introduction of the Data Protection Bill 2017 means that businesses do now have to appoint a DPO.  The answer to that question is, no, not all businesses need to appoint a DPO BUT that doesn’t necessarily mean that it’s not in your business’ best interest to have someone who is solely responsible for data privacy matters.

GDPR

The GDPR requirements are set out in Article 37: –

“The controller and the processor shall designate a data protection officer in any case where:

  1. The processing is carried out by a public authority or body, except for courts acting in their judicial capacity;

  2. The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or

  3. The core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.”

GDPR also points out that it is ‘entirely reasonable’ to share a DPO with other organisations.  The role could also be performed by a current employee alongside their existing duties.

The Data Protection Bill

The Data Protection Bill [2] will introduce GDPR into UK legislation, only necessary because of Brexit (GDPR is a Regulation so applies to all member states without the need for domestic legislation).  The Bill will cover GDPR which applies to ‘general processing’, but also the Law Enforcement Directive [3] which must be transposed into domestic law by 6th May 2018.  Finally, the Bill also covers processing for National Security, currently not covered by either GDPR or the Law Enforcement Directive.

Under the Bill, the GDPR requirements around DPOs will stand and the only addition is in Part 4, chapter 3 which relates to law enforcement processing:

“-s69(1) The controller must designate a data protection officer, unless the controller is a court, or other judicial authority, acting in its judicial capacity.”[4]

Best Practice

Whilst you may not be under a mandatory requirement to appoint a DPO, it is considered best practice to appoint someone to be responsible for data privacy matters.  With GDPR, the Data Protection Bill and then proposed changes in respect of E-Privacy, the importance data privacy and protection is not going to diminish any time soon.  After all, it’s not a case of simply ticking a box that says you are compliant with the legislation.  The concept of privacy by design is now a requirement of GDPR, and teamed with the requirements to demonstrate ongoing accountability, it’s important to have a data protection ‘champion’ within your business to ensure that privacy, data protection and data subjects rights remain in the forefront of everyone’s minds.

Get in touch

For more information about data protection compliance, simply get in touch with one of our experts today.

[1] General Data Protection Regulation (GDPR) Regulation (EU) 2016/679)

[2] https://publications.parliament.uk/pa/bills/cbill/2017-2019/0153/18153.pdf

[3] DIRECTIVE (EU) 2016/680

[4] https://publications.parliament.uk/pa/bills/cbill/2017-2019/0153/18153.pdf, Part 4, Chapter 3, Section 69(1)

What’s a DPO and does my business need one? Read More »

Magnifying glass on a blue table

Know your clients to avoid AML penalties

Anti-Money Laundering, Blogs, Legal Compliance, Regulatory Compliance /

I was recently at an event speaking about AML legislation. As my attentive audience sat eagerly taking notes, one delegate raised her hand to ask about client verification, and the how’s of doing it correctly. Silence struck the room quite quickly as the realisation hit all the delegates – this was something they needed to consider and manage effectively to avoid AML penalties. It sounds straight forward but get it wrong or miss something and the penalties to your business can be steep.

The easiest, cost effective option, by which to verify your clients is E- verification.  Nowadays, E-verification is a viable option used by many corporate firms that are looking to streamline an already complex process, and can be used as a tool to verify identification provided.  Having said that, it’s important to remember that additional, non- electronic checks, may need to be conducted, simply to prove that the person in front of you is who they say they are!

Using E-verification is becoming increasingly important, especially as the new regulations stipulate domestic PEP checks are required.  The market is bombarded with variations of what is available, some offering standard checks and others offering basic packages with add-on’s depending on your firm’s risk appetite. To be sure you’ve covered it all, when choosing an AML provider, follow the tips below to enable you to choose the best provider.

An address verification service:

Verify the address that has been provided to you and confirm this is current

Document validation check:

Validate the passport or driving licence and confirm this is a Government issued document and not a fraudulent copy.

Mortality check:

Confirm the person exists and is not deceased, as you may be dealing with someone who is an impersonator adopting a different identity.

Politically exposed screening:

Any match, be it a domestic or an international PEP, associated persons or family, requires an enhanced due diligence check to be carried out, along with the assessment of any risks involved with appropriate internal MLRO approval.

Sanctions screening:

Check your match is an exact match by comparing the photograph provided (where available) to identity documents and that dates of births are consistent.

Negative news check:

Are there any CCJ’s registered or is your client linked to any fraud or bribery allegations or convictions?

Bank details validation/verification check:

Where bank details have been provided, check these are legitimate as any errors may cause further delay in rectifying issues with the bank later.

When running e-verification checks it would be good practice to ask your provider to confirm searches do not:

  • Affect the credit rating of the individual/corporate rating and;
  • There is an audit trail of all searches ran and;
  • The storage of such data is compliant with General Data Protection Regulation (“GDPR”)

As I have said, E-verification does not, on its own, fulfil the requirements of client due diligence. You should also consider:

What is the intended business relationship:

Don’t be afraid to confirm with the client the details of the work you are proposing to do for them and whether this is a one-off transaction or an ongoing business relationship.

Are source of funds consistent with the business:

Is a UK or an international bank used to process the transaction and where is the money due to come from?

Additional requirements

Consider any requirements for lenders to see physical identity documents to combat identify fraud.

Get in touch

To find out more about the AML services we have to offer, contact one of our experts today.

Know your clients to avoid AML penalties Read More »

Three stacks of pound coins

GDPR – ICO fee changes from 1st April 2018

Blogs, Data Protection, Legal Compliance /

 

As we are all aware, the GDPR implementation deadline of 25th May 2018 is fast approaching….. in fact it’s just over 15 weeks away.  But were you also aware that the requirements for data controllers to register with the ICO, and the fees for registration are changing on 1st April 2018?

Under the current rules, organisations that process personal information are required to register (notify) with the ICO as data controllers.  The notification includes explaining what personal data they collect and what they do with it.  At the point of notification, the data controller is required to pay a fee, currently £35 per year for organisations with less than 249 employees, and £500 for all other organisations.

After 25th May 2018 there will no longer be a requirement to notify the ICO in the same way.  Under GDPR, data controllers are to be accountable by maintain records and conducting assessments of processing activities.

However, there is a provision under the Digital Economy Act that means there is still a legal requirement for data controllers to pay the ICO a data protection fee.  As with the notification fee now, the data protection fee will be used to fund the ICO’s data protection work as all money received in fines is passed directly back to the Treasury.

The Digital Economy Act paves the way for a new funding system.  The new system will aim to make sure the fees are fair and reflect the relative risk of the organisation’s processing of personal data.  The size of the fee will still be based on a organisations size and turnover, but will also consider the amount of personal data being processed.

The final fee structure will go live on 1st April 2018 but is likely to be a three-tier system:

  • Tier 1: annual fee of up to £55 applied to small and medium firms that do not process large volumes of data;

  • Tier 2: annual fee of up to £80 applied to small and medium firms that process large volumes of data;

  • Tier 3: annual fee of up to £1000 for large businesses;

  • And a direct marketing top-up fee of £20 for organisations that carry out electronic marketing activities as part of their business.

If your renewal is due prior to 1st April, then you will simply renew under the old system and the new structure will not affect you until your following renewal.

‘new data protection fee regime payments made during the 2017/18 financial year under the current system will run for a full year. This would mean that organisations which pay their annual notification fee at any point during this time will not need to pay the new fee until their notification under the old model would otherwise expire.’

Get in touch

For more information about Data Protection Compliance and the GDPR, get in touch with our experts today.

GDPR – ICO fee changes from 1st April 2018 Read More »

Hands typing on a laptop

Top 4 AML things you need to tackle in 2018

Anti-Money Laundering, Blogs, Legal Compliance /

The wicked, the criminals, are continuously innovating, and creating new ways to make money out of crime. They are also money laundering, on an epic scale. The scale of money laundering in the UK is thought to be £90bn a year.

2017 was a year of change in AML and financial crime, with the long awaited Money Laundering, Terrorist Financing, Transfer of Funds (Information on the Payer) Regulations 2017 (MLR), and the Criminal Finances Act. There was plenty to think about and do. But it doesn’t stop there. The wicked don’t, so we can’t. Here are 4 things you will need to tackle in 2018.

1. Final Guidance

The Legal Sector Affinity Group have prepared guidance for firms on MLR 2017, which is currently in draft form on the Law Society’s website. The guidance has been submitted to HM Treasury, and is currently going through the approval process. It is hoped the guidance will be finalised within the next couple of months. Once the final guidance is released, firms will need to take steps to finalise their policies and procedures.

2. Independent Audit Function

Regulation 21 MLR requires that a firm, where appropriate to the size and nature of its business, establish an independent audit function to examine and evaluate the adequacy and effectiveness of the policies, controls and procedures. Firms will need to consider how to resource this, whether they can do that internally or externally, and consider the scope. Many firms already include CDD in their file review process, but audit may be much wider, reviewing accounts and risk assessment processes.

3. Implementation of the Criminal Finances Act (CFA)

2017 saw the introduction of the CFA, and the Corporate Offence of Failing to Prevent the Criminal Facilitation of Tax Evasion. Firms also need to be aware of the provisions around the extension to the Moratorium Period (r10), the new Information Sharing Powers (r11) and Further Information Orders (r12) which came into force on the 31st October 2017. Policies and procedures for dealing with these may need to be introduced, and staff training delivered, particularly in relation to the Information Sharing Powers, and how to respond should someone seek to share information about a client with them.

4. Amending Directive to 4MLD

On the 15th December the amending directive to the fourth Money Laundering Directive was agreed. This revision of the 4MLD, aims to:

  • increasing transparency on who really owns companies and trusts by establishing beneficial ownership registers;
  • preventing risks associated with the use of virtual currencies for terrorist financing and limiting the use of pre-paid cards;
  • improving the safeguards for financial transactions to and from high-risk third countries;
  • enhancing the access of Financial Intelligence Units to information, including centralised bank account registers

Member states will have 18 months to implement these changes, so firms may need to make further changes to their policies and procedures soon.

It is clear we are a long way off from “Business as Usual” in AML, with a lot of change still to navigate and embed.

Get in touch

For more information about our AML services, simply get in touch with our experts today.

Top 4 AML things you need to tackle in 2018 Read More »

Hands typing on laptop

Where to start with the Money Laundering Regulations 2017

Anti-Money Laundering, Blogs, Legal Compliance, Regulatory Compliance /

 

Writing a blog about becoming compliant with The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 is tricky. So much of what you will need to do will depend on the individual risk factors your firm faces. However, here are some things you should think about doing now.

1. Risk Assessment

You need to complete a risk assessment of your firm. I would look at the following areas, and establish the risk of your firm being targeted for money laundering:

  • Who your clients are
  • Where your clients, or their funds are coming from
  • The services you are providing to your clients
  • How you provide services to your clients
  • Size and nature of your business

2. Policy review and amends

Once you have arrived at your risk assessment, you should review your policy. Make sure you amend reference to the 2007 regulations at the very least. It is likely that if you had assessed a client profile as needing enhanced due diligence, it will still be. However do review regulation 33 to see whether any changes are needed. You may find that you do not have to change the requirement to apply enhanced due diligence, although the process is very likely to change.

3. CDD Process

There are a number of practical changes you are likely to need to make to your CDD process

  • You will need to expand the list of information you obtain regarding a corporate client to include information about its constitution, possible from review of the articles of association. This could add considerable time to the process.
  • You will need to consider the impact of the change in the definition of beneficial owners in relation to trust which is now much wider.
  • There the client is owned by a beneficial owner, you will also have to take reasonable measures to verify the identity of the beneficial owner so that you are satisfied you know who the beneficial owner is. Previously verification was only required on a risk sensitive basis.
  • Review your process to identify if your client is a politically exposed person. Under the 2017 regulations a PEP includes domestic PEPs, and the definition has changed to include the governing bodies of political parties, and the boards of international organisations (think FIFA etc). You will need to ensure that a PEP is treated as such until 12 months after they have left post.

4. Internal Controls

First job is to decide whether your firm is of the size and nature where the controls detailed in regulation 21 should apply. You will have considered this as part of your risk assessment. I think having regard to the risk from the type of work you do; the visibility you have of the client and their source of funds will be factors you should consider. If you feel you are of the size and nature, you will need to

  • Appoint a member of senior management to be responsible for compliance with the regulations
  • Carry our screening of employees when they join the firm and ongoing, as to their skills and knowledge to carry out their functions effectively, and their conduct and integrity. You may already be doing this for some employees, such as conveyancers under the CQS requirements
  • Establish an independent audit function. Provided that this function can assess the effectiveness of the policies, controls and procedures in place, make recommendations for improvements, and have those improvements implemented, it does not appear that it needs to be an external function.

5. Operational Issues

a.      Training

All relevant people will need to be trained on AML/CTF and the Data Protection aspect of the Regulations. Given the changes, you may need to look at training sooner rather than later.

 

b.      Record Keeping and Data Protection

  • You need to make sure you keep records you obtain for AML for 5 years from the end of the business relationship
  • After that time, you will need to destroy it unless you are required to keep it by Law, for Court Proceedings, or if the client consents. You will need to obtain this consent from the client
  • You will also need to provide the client with Data Protection information as prescribed by the regulations

 

c.      Dealing with Bank queries on Pooled Client Account

Under the 2007 regulations, Banks could treat the PCA as a low risk product, as long as the firm produced upon request information about the identity of the persons on whose behalf monies are held.

The new Regulations say instead that a bank may apply SDD provided that the

  • Holder of the bank account presents a low degree of risk, and
  • Information on the identity of the person on whose behalf monies are held in the PCA are available on request.

In my experience, very few firms have the relevant permission from the client to be able to share this information. You will need to ensure that you have explained to the client, that if the bank requests information about who you hold funds for, you will be required to provide that information, and that you have the client’s consent to do so.

Clearly there will be a lot of work to do over the coming months.

Get in touch

At Teal Compliance, we make complying easy with a range of AML services. To access support for your firm, simply get in touch with us today.

Where to start with the Money Laundering Regulations 2017 Read More »

Magnifying glass highlighting "GDPR"

Top 10 GDPR tips for law firms

Blogs, Data Protection, Legal Compliance /

 

So, if you haven’t heard about GDPR by now you must have been in hibernation for quite some time!  It’s coming……soon….. but where are you on your journey?

A small percentage of you will have been aware of the General Data Protection Regulation (GDPR) since it was adopted in the EU in 2016.  A larger percentage will probably have become aware around the start of 2017, maybe a few of you have genuinely only just heard about and are starting your preparations now.

In theory, if you are fully compliant with the Data Protection Act 1998 then you are already part the way to being compliant with the new regulation, but may firms will find that they were perhaps not as compliant as they first believed………do you have a large store room full of very old files for example?

I became aware of GDPR towards the end of 2016 when I attended a Data Protection for COLPs course.  My firm, like many at the time, did not have GDPR on the radar so I went back to the office and began awareness raising, inadvertently volunteering myself to create a project plan and briefing for the Board and I have been managing our preparations since January 2017.

So what are my ten top tips?

1.  It’s a journey, not a destination….

Preparing for GDPR is not about ‘tick-box’ compliance, its about making sure your policies and procedures are sustainable, and that you have a plan for checking your controls, policies and procedures work for your business and are being followed.  Yes, you are working towards getting those policies and procedures in place to ‘switch-on’ on the 25th of May but you also need to ensure that they are sustainable.

2.  Research

GDPR enhances many of the provisions of the current DPA 98 but it also introduces new ideas and data subject rights.  Are you fully up to speed on ‘the right to be forgotten’, ‘the right to data portability’ and ‘privacy by design and default’?  If you are, do you understand what changes you need to introduce to your firm to ensure that you can have workable, sustainable procedures and processes AND to demonstrate accountability?

What is your legal basis for processing personal data?  Do you need to rely upon consent or do you have a different legal basis?  As a law firm you will be processing under a contract rather than relying upon consent but does all of your processing fall under the contract with the client?  Do you process sensitive category data?  You need to understand what data your business processes as well as the GDPR requirements for that data.  Do you understand the definition of ‘processing’?

3.  Information audit

The first, and one of the most important stages of preparation is to conduct a thorough information across all areas of your business – don’t forget that your employee’s personal data is also included for GDPR purposes, it’s not just about your client personal data.  You need to document exactly what personal information you process, why you process it and how you process it.  Consider any risks to the data during processing for each business area.  Treat the audit as a GAP analysis – do you still think you are fully DPA 98 compliant or are there clear GAPs which need to be considered?

4.  Plan, plan, plan

Once you have the results of your information audit you should be able to design a comprehensive plan for your preparations.  If you have a Project Management Team, now is the time to get them on board!  What resource do you have that you can dedicate to the preparations?  Your plan will need to be a living, breathing document that you update on a regular basis.  Your plan will evolve and grow as you work through the actions (and may grow longer before you know it!)

5.  Data flow mapping

Do you know how personal data moves through your business?  Can you clearly demonstrate the flow of data through your systems from on-boarding to file closure?  It’s important that you have this mapped out (your IT department are your new best friends!) – how can you comply with a subject access request if you don’t know where to look for all the data subject’s personal data?  Don’t forget your paper filing systems and off-site storage!

6.  Third party systems

Do you use any third-party systems?  Most law firms with a case management system will use a third-party system.  Through your information audit and data flow mapping you should identify exactly what systems you use but it’s important to also consider where that system stores the data – is it on your network and server or is it held on the third- party server.  Does it link to your case management system so you can easily access the data if your receive a data subject request?

7.  Awareness and engagement

It’s really important to promote GDPR awareness throughout your business, to all departments and all levels of employees.  Engage all business area heads at the earliest opportunity, they are the people who understand how your current processes work on a day to day basis, without them you will not be able to implement the changes you need to ensure compliance.  Your IT department, whether internal or external, is a valuable asset – do you understand how your IT systems work on a technical level, probably not so make your Head of IT your new best friend and ensure they are fully briefed on GDPR requirements.

Engagement at the top will make your project run smoother – you will need investment in your project in the form of people resource and potentially a financial investment depending on the outcome of your information audit.  You are more likely to secure this resource and investment if your Board, senior stakeholders and investors understand what GDPR means for the business.  Remember, it’s not just about avoiding the potentially huge fines, by being compliant you build trust with your clients and professional partners and through better processes you can offer a high level of customer service.

8.  Policies and procedures

You will need to conduct a thorough review of your data protection policies and procedures – this will include your retention policy and privacy risk should be included within your risk management framework.  You will need to build new procedures for the new data subject rights.

9.  Data retention

Law firms have a reputation for storing documents and files for much longer than required for legal and regulatory purposes so now is the time to ‘get your house in order’.  Do you have a robust archiving, storage and retention policy?  If you do, is it followed?  Do you have a secure way to delete files once the storage period has come to an end?  What about legacy systems and databases, and cloud systems?  Can you securely data that is held on your third-party systems?  Again, business area engagement is important to ensure that you meet your legal and regulatory obligations (which means you will have to delete some data).

10.  Training

You can have the best policies and procedures in the world, but they are useless if your employees do not know they exist or do not know how to put them into operation.  GDPR is a difficult and dry subject so it’s probably best to break the training down into small chunks.  Make it interactive and engaging (or get someone in who can do this for you).

Get in touch

So, after reading this, how do you feel about GDPR now?  If you are a compliance ‘geek’ like me then you will feel excited and fired up ready to start your journey.  Alternatively, you may be feeling overwhelmed and unsure where to start.  Fear not!  The ICO have some really useful (and free) resources. Alternatively, check out our data protection compliance services or contact one of our experts for more information.

Top 10 GDPR tips for law firms Read More »

3D Cloud with blue wires coming out of it.

EU-US Privacy Shield: Is the WP29 about to go to war?

Blogs, Data Protection, Legal Compliance /

 

Recently,  the Bill re-authorising section 702 of FISA (Foreign Intelligence Surveillance Act) was passed in the US House of Representatives after the original December deadline was extended until 19th January.  Although the Bill still has to get through the Senate, it seems that with the backing of President Trump, the Bill allowing targeted surveillance of non-US nationals outside the US will be re-authorised despite the concerns of the EU WP29.

On 28th November 2017 the WP29 published its report on the first annual Joint Review of the EU-US Privacy Shield.  WP29 had previously expressed concerns about the Privacy Shield, and whilst they acknowledge that progress has been made, they still have a number of concerns around transparency and in particular, access for US Law Enforcement and National Security purposes.

“The WP29 welcomes the various efforts made by US authorities to set up a comprehensive procedural framework to support the operation of the Privacy Shield through for example the strengthening of the checks performed prior to the listing of certified organizations.”

For those of you who need reminding, in October 2015 the European Court of Justice declared ‘Safe Harbor’ invalid, leaving the EU Commission and the US Government to find a new way of safeguarding EU-US data transfers.  In February 2016, political agreement on a new framework was reached and the final version was adopted by the EU Commission on 12 July 2016.  The self-certified Privacy Shield requires companies to establish a privacy policy which is in line with the privacy shield principles.  Companies are obliged to re-certify on an annual basis.  Part of the agreement was an annual joint review.

In September 2017, EU Commission and the WP29 visited Washington to undertake the review.  The Commission published its report in October 2017, and adopt a seemingly different position to WP29:

“The Commission stands strongly behind the Privacy Shield arrangement with the US.  Making international data transfers sound, safe and secure benefits certified companies and European consumers and businesses, including EU SMEs.  This first annual review demonstrates our commitment to create a strong certification scheme with dynamic oversight work.”

However, the WP29 report lists a number of concerns which fall broadly into two categories; commercial aspects and concerns around Government access to EU personal data for law enforcement and National Security purposes (with specific reference to s702 FISA).

The commercial aspects that remain a concern include:

  • A lack of guidance and clear information on the Privacy Shield principles, onward transfers and the rights and available remedies for data subjects;

  • The need for increased oversight and supervision of compliance with the principles;

  • The need to distinguish between the status of data processors and data controllers

  • Required improvements in the interpretation of and handling of ‘HR data’

  • Lack of rules on automated decision-making and profiling

  • Unresolved issues from opinion 1 of 2016

The WP29 acknowledges that progress has been made in comparison with the previous Safe Harbor arrangements.

They also acknowledge that progress has been made in respect of the concerns around access to data for law enforcement and National Security reasons, but a number of concerns remain, specifically in relation to the collection and access of personal data for national security purposes under section 702 of FISA and Executive Order 12333.  Executive Order 12333, originally signed by Ronald Reagan, compels leaders of US intelligence services to co-operate fully with the CIA.

Two programs operate under s702 FISA – PRISM and UPSTREAM.  PRISM requires internet service providers to provide the US authorities with the data of their users corresponding to ‘selectors’.  Under UPSTREAM, telecommunication providers are required to assist the NSA by collecting data from the chosen ‘selector’.  WP29 has specific concerns around the UPSTREAM programme:

“…the WP29 calls for further evidence or legally binding commitments to substantiate the assertions by the US Authorities that the collection of data under s702 is not indiscriminate and access is not conducted on a generalized basis under the UPSTREAM programme.”

WP29 viewed the re-authorisation of s702 as “an important opportunity to include additional safeguards…” but it remains to be seen whether this feedback has been taken on board when the Bill passes to the Senate on 19th January 2018.

What is clear, is that WP29 have given a stark warning to the US in respect of the Privacy Shield if their concerns are not addressed prior to the GDPR implementation date of 25th May 2018:

“In case no remedy is brought to the concerns of the WP29 in the given time frames, the members of WP29 will take appropriate action, including bringing the Privacy Shield Adequacy decision to national courts for them to make a reference to the CJEU for a preliminary ruling.”

If WP29 chose to go down this route there could be detrimental consequences for EU businesses that need to transfer data to the US (and vice versa).  It would be prudent for those businesses to ensure that they fully understand the systems and processes they have which could be impacted by any such action and to keep fully up to date with any developments.

In the meantime it’s just a waiting game, with only a few months to go until 25th May…

Get in touch

For more information about our data protection services, simply contact one of our experts today.

EU-US Privacy Shield: Is the WP29 about to go to war? Read More »