24) Other regulation affecting the advice process Flashcards
What are the rules relating to data protection?
To follow process for customer due diligence, such as identification, then such info is handled appropriately and stored securely.
If not, customer’s right to privacy is breached and exposes them to risk of being victim to fraud such as identity theft.
When did General Data Protection Reguln come into effect in UK?
25 May 2018 (previously EU legislation was Data Protection Directive 1995) - applies to ‘personal data’, wh is info relating to an indiv who can be identified (name, ID No., location data, online identifier etc)
What are data protection principles? (DP)
GDPR is set of six DP principles, all relating to processing perso data
1) data shd be processed lawfully, fairly and transparently.
2) collected for specified, explicit and legitimate purposes - not processed further to be incompatible w above said purposes - archiving for public interest, scientific, historical/statistical res purposes is okay
3) Data collected shd be relevant, adeq and ltd to purpose for which it is processed.
4) Kept accurate and up to date - inaccurate data and those not reqd for purpose for wh processed shd be erased or rectified without delay.
5) Data kept in a form that permits identifn of subjects and for no longer than nec, (archiving for some purpo allowed)
6) Ensure data processed with approp secu, wh incl protec against unauthorised and unlawful processing, and use approp tech and organisational measures against accidental loss, destruction and damage
What are some of the data collected and what are GDPR reqts of such data?
- — Data subject-an indiv whose perso data is processed
- — Personal data - info that can dir/indir identigy a natural person
- —Special categories of personal data - sensitive and req more protec - gen.lly collected with explicit consent from indiv and may include
- race *religious beliefs *political persuasion
- trade union membership * sexual orientation
- health *biometric data *genetic data
- —Processing - covers all aspects of data including
- obtaining data *recording of data
- orgn or alteration of data *disclosure of data
- erasure/destruction of data
- —Data controller _ is the ‘legal’ person who det for what purpo is processed and how it is done. Data controller can be an employer/orgn, partnership, sole trader - they have prime respon for ensuring reqt of Act are carried out.
- —Data processor - person who processes perso data on behalf of data controller.
When can an organisation process data?
An orgn shd always have a lawful basis for processing perso data. At least one of the followg must apply
1) Consent - clear consent given by indiv to process
2) Contract - Processing is nec for contract betn orgn and indi, or indi has asked for it before entering into contract
3) Legal obligation - processing is nec to comply w law
4) Vital interests - processing is nec to protect life
5) Public task - nec for orgn to act in public interest
6) Legitimate interests - Processing is nec for organisation’s/third party’s legitimate interests, unless there is good reason to protect such perso data wh can override those legiti interests
What rights does a data subject have regarding their data?
1) To access their data through subject access request
(without charge)
2) correct inaccurate data
3) erase data - in certain cases
4) object to data
5)move personal data from one service provider to ano
How does an orgn demonstrate compliance with GDPR?
1) must establish a governance str. w roles and responsibilities
2) keep a detailed record of all data processing operations
3) document data protection policies and procedures
4) for high-risk processing opns, carry out data protec impact assessments
In cases where orgn/busi are estd in >1 EU country, processing will be monitored by one single DPA (data processing authority) - the ‘lead authority’, wh is whr the busi has main offices/has ctrl admini/whr maj of mgt decisions take place, also applies to countries outside of EU who have reln with EU
Who enforces GDPR?
Information Commissioner
What powers do an Info Commissioner have to enforce GDPR?
- *- Serve info notices –ask orgn for specified info w.in certain time
- *- Issue undertakings - to orgn to improve compliance
- *- Serve enforcement notices and ‘stop not’ orders where there has been a breach
- *- Conduct consensual assessments (audits)
- *- Serve assessment notices - to conduct compulsory audits for compliance check
- *- Issue monetary penalty notices - for breaches
- *- Prosecute - for criminal offences under Act
- *- Issue ban - temp or permanent ban imposed
What actions constitute as criminal offences under GDPR?
> Data controller failing to comply w an info or enforcement notice.
Failure to make proper notification to Info Comsnr
(Notifn is the way in wh a data contlr registers w Info Comsnr’s Office of acknowledging that perso data is held and by specifyi g the purpose of it.
Processing data w.out authorn. from Comsr.
Intentionally or recklessly re-identifying indiv from pseudonymised or anonymised data.
What is the role of The Pensions Regulator (TPR)
TPR is respon for regln of work-based pension schemes (sometimes personal pension schemes)
= protect benefits of occupational pension schemes
= protect perso pension schm. whr there is direct pay arrangement
= promote good admin of work-base schm
= reduce risks of situa wh may lead to claims for compensation form Pension Protection Fund
= maximise employer compliance to Pensions Act2008
= minimise adverse impact on sustainable gr of employer.
(TPR aims to iden. and prevent potenl prob rather than deal w them whn they arise - risk-based approach considering
=likelihodd of an event occurring
= impact of the event on the schm and its members
Powers of The Pensions Regulator (TPR)
1) Investigating schms: =iden and inves risks =req reg returns to regulator = trustees/schm mgrs to notify imp changes to info e g type of bene provided = if cannot meet funding reqts
2) Putting things right: = req sp action to improve w.in sp time = recover unpaid contribu from employer to schm = disqualify unfit and not proper trustees =impose fines/prosecute
3) Acting against avoidance: =preventing deliberate avoi.ce from employers of their pension obligations, leaving Pension Protection Fund (PPF)to cover liabilities
=Issue contribution notices to employer failing to pay into schms/PPF or issue finanl support directions fir underfunded schms.
What is the Pension Protection Fund?
Estd in Pensions Act 2004, PPF protects memb of pvt sector defined-benefit pension schms in the vent of the firm becoming insolvent/insuff funds to maint bene for schm memb.
Also to compensate loss by dishonesty for occupational pensn schm
PPF compensates by =imposing levy on defined-bene schms. =takes on assets of schms transferred to fund.
= recovery of assets from insolvent employers.
= grow its own funds by investment.
What are some of the financial services affected by EU Directives?
1= Electronic Money Regulations - authorisation/registraion of new electronic money issuers (EMI)
2= Investment Services Directive (ISD) - wh enables investt firms to operate in diff europn states (but only after authorn by home state)
3) Markets in Financial Instruments Directive (MiFID)
Applies to firms providing serv to clients in reln to tradeable finanl instruments such as shares, bonds, units and derivatives. but NOT life assureance, pensions and mortgs) MiFID aims to enhance competition and consumer protection by setting reqts in * conduct of busi *organisation and * market transparency MiFID distinguishes core acti “(investt serv and act”i) and non-core acti (“ancillary acti”). If firm has both core and non-core then both come under MiFID, if only non-core then not.
4) Undertakings for Collective Investment in Transferable Securities (UCITS) - applies to regulated investt funds that can be sold to gen public throughout EU, by common framework of investor protecn and product control.
Life Assurance: =to provide EU citizens w access to widest poss range of insu pdts w highest stds of legal and finanl protec and =enable and insu co. authorised in any of memb states to pursue acti throughout EU.
General Insurance: =Non-life insurance Companies estd in one state can establish branches and varry out acti in other states. Companies can be authorised for more than one class of non-life insu.
Explain Directive on Insurance Mediation (IMD)
IMD (Jan 2003) ensures insu co.s can operate throughout the EU, and to ensure that retail markets in insu are accessible and secure. Insu Distri Directive Oct 2018 intro in Oct 2018 to strengthen IMD. Insurance mediation is described as ‘ acti of intro.g, proposing or carrying out other work preparatory to the conclusion of contracts of insu, assisting in admin and perfor.of such contracts, esp in the event of a claim’ If en employee of insu co/agent acting under an insu co carry out such acti, they are not included in the definition of insu mediation.
All indep insu (and reinsu) intermediaries must be regd w a competent authority in their home state, in the UK they must be regd with FCA.
