Trouble viewing this email? Read it online

cummings-logo-2013 (2).jpg

Welcome to EQUITY ISSUES, a short note on a relevant issue in the private equity and venture capital industry.

If you would like to discuss any of the points we raise below, please contact me or one of our other lawyers.


Claire Cummings

020 7585 1406


UK Finance publishes FAQs on the GDPR

UK Finance recently published a set of FAQs on the GDPR, which comes into force on 25 May 2018 and will replace the existing EU Data Protection Directive. The GDPR is aimed at protecting privacy and ensuring that all firms, including in the financial services industry, take proper care when handling consumers’ personal data. The GDPR builds on previous data protection laws and updates them to reflect recent developments such as the growth of the digital economy, the internet and big data. It will also ensure varying data protection rules across different EU countries are more closely aligned. Below is a summary of the FAQs.

How will GDPR impact consumers of financial services?

  • Firms will need to explain in more detail how a customer’s data is used

  • Customers will have better access to information about who their personal data has been shared with

  • Customers may be able to withdraw their consent and request that firms stop processing their data

  • Customers may be able to request that their personal data be erased under the “right to be forgotten”

  • Firms must provide more transparency and notification to customers regarding data breaches

  • Customers may request a copy of the data held by the firm

What changes will financial services customers notice most?

  • Customers will receive updated privacy notices from firms

  • Customers likely to receive more detailed information about how their personal data will be used by the firm

How will the obligations on firms change?

  • Firms must build privacy and data protection into new products from the start of the design process

  • Firms must keep detailed records of all personal data held, such as the reason it is needed and how long it is required for

  • Notifying ICO and/or individuals of a breach

  • Appointment of a data protection officer

  • Apply special protections when transferring data outside of the EU

How will it be enforced?

  • Enforced in the UK by ICO

  • ICO has enhanced powers to enforce the rules and maximum fines increased

Will firms always need a customer’s consent to process personal data?

  • Customer consent is not needed to process personal data in the following circumstances:

    • compliance with a legal obligation

    • to perform a contract

    • where the firm has a “legitimate interest” in processing the data

  • Most personal data processed by financial sector firms will be necessary to comply with legal obligations (such as in the case of fraud detection and anti-money laundering) or to ensure contracts with customers can be enforced, consent will often not be required.

What sort of data processing could be considered in a firm’s ‘legitimate interests’?

  • Commercial interests

  • Fraud prevention

  • IT security

For companies that do ask for consent, how will this change under the GDPR?

  • Consent requires a ‘clear, affirmative action’

  • The request for consent must be prominent, detailed and direct

What about the ‘right to be forgotten’?

  • The ‘right to be forgotten’ (also known as the ‘right of erasure’) can only be invoked

    • where data has been processed illegally

    • where the data is no longer needed by the firm

    • where the individual has withdrawn consent for the data to be processed

  • The ‘right to be forgotten’ can be overridden in some circumstances such as:

    • compliance with a legal requirement

    • reasons of public interest

    • part of legal proceedings

Will people still be able to make a ‘subject access request’?

  • Yes, a customer’s right to access their personal data will remain under the GDPR

How will the GDPR impact marketing?

  • Firms getting consent from customers for marketing purposes must comply with the GDPR requirements

Where can I find out more?

  • The Information Commissioner’s Office has a lot of resources on GDPR (

This document is for general guidance only. It does not contain definitive advice.


We have taken great care to ensure the accuracy of this version of Equity Issues. However, Equity Issues is written in general terms and you are strongly recommended to seek specific advice before taking any action based on the information it contains. No responsibility can be taken for any loss arising from, action taken or refrained from on the basis of this publication. If you would like to be removed from the mailing list of this publication please click unsubscribe below. Nothing within this communication may be copied, reprinted or similar withou prior written consent.

Authorised and regulated by the Solicitors Regulation Authority. Please contact us if you would like to arrange a meeting. This message (including any attachments) from the law firm of Cummings is confidential and may contain information which is proprietary, privileged or otherwise legally protected against unauthorised use or disclosure. If you are not the intended recipient, please do not read, copy, distribute, disclose or otherwise use or place any reliance on any information in this message or any attachments; and please alert the sender by return e-mail, delete this message and any attachments from your system and destroy any hard copies. Neither Cummings nor the sender accepts liability for any corruption, interception or unauthorized amendment of messages or attachments transmitted by e-mail. It is your responsibility to scan this message and any attachments for computer viruses in accordance with good working practice. The firm is not authorised by the Financial Conduct Authority, but is authorised and regulated by the Solicitors Regulation Authority (for the code of conduct please see and undertakes certain activities in relation to investments which are limited in scope and incidental to its legal services or which may reasonably be regarded as a necessary part of its legal services.


Tel: + 44 20 7585 1406
Mob: + 44 7734 057 327

Cummings Law
42 Brook Street
London Greater London W1K 5DB
United Kingdom

25 05 2019

Subscribe a friend | Unsubscribe

email sent by multimail