ECSH33575 - Duties of supervisory authority: how we check compliance: operational guidance: checking record keeping, reliance and GDPR: data protection
Introduction
As part of your compliance check, you should check that the business understands its obligations under the UK General Data Protection Regulation (GDPR) and the requirements under the Data Protection Act 2018 (DPA) as shown in regulation 41 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017).
For more information see ECSH63625 and Regulation 41 regarding Data protection.
See also [link to ECSH10500 General Data Protection Regulation (GDPR) and data retention].
The business’s data protection obligations
Every organisation that processes personal information must pay a fee to the Information Commissioner’s Office (ICO), unless they are exempt. There is a register you can view online.
(This content has been withheld because of exemptions in the Freedom of Information Act 2000)
You firstly need to establish if the business is registered with the ICO. The business may have a registration certificate, or they may tell you that they are exempt.
(This content has been withheld because of exemptions in the Freedom of Information Act 2000)
You should also check that the business provides customers with information and a statement as required by regulation 41(6). The business must do this before establishing a business relationship or entering an occasional transaction with a new customer. The way that businesses provide this information might be on either:
- their website
- an invoice
- the letter of engagement with clients
- another method
You should ask them how they provide the information and may need to see evidence of this.
The business must obtain the consent of the customer if it uses any data obtained under MLR 2017 for any other purposes as required by regulation 41(3)(b). It can’t do this just by giving notice (it must have expressly obtained consent), so you need to understand if the business uses data in any other way; for example, for marketing purposes.
Non-compliance with data protection requirements
After your discussion with the business concerning data protection, the procedures in place and after the records testing (see ECSH33700 Records testing), you must consider if there are data protection breaches under MLR 2017.You must consider where the breach lies as there could be corresponding breaches; for example, if training provided to staff does not cover the law regarding data protection relevant to the implementation of MLR2017, there is a breach of regulation 24 of MLR 2017 - see the case study below. You must tell the business that it must correct the breaches without delay.
If you don’t feel that the business has sufficient knowledge of its data protection obligations, you need to ascertain whether it does at least provide the information of how data is processed to the customers. You then need to ask and test whether the business uses the data collected under MLR 2017 for any other purposes. Ensure that you record the answers as these could evidence breaches. Additionally, you should advise the business to read and understand the information available on the ICO’s website and sector guidance published on GOV.UK.
Do you have evidence that the business is using information provided by customers for purposes other than preventing money laundering, terrorist financing and proliferation financing, for example, marketing of new products without the customers’ consent. If so, you will need to report this to the ICO; see ECSH34205 Intelligence report.
Case study
During your compliance check with an estate agency business (EAB), you check its understanding of data protection obligations under MLR 2017. You ask questions about what information the business provides to its customers about how their data is used for the purposes of MLR 2017 and preventing money laundering, terrorist financing and/or proliferation financing.
You establish that the EAB does not provide its customers with any information or a statement informing them of how their personal data is processed for the purposes of MLR 2017. Additionally, you note that staff give the CDD information to a clerical assistant who adds the customers to their mailing list. The EAB has not obtained the customers’ consent to use their personal data for marketing purposes.
You tell the EAB that this is a breach, and it must be corrected without delay.
Having established breaches of regulation 41(3)(b) and (6) during the visit, you consider whether there are any linked breaches and make a note to check what training is provided to relevant staff. After reviewing the training material, you confirm that there is no information regarding data protection and ask the business if any other training has been provided. The EAB tells you that all employees receive GDPR training, but nothing in relation to MLR 2017. You conclude that staff have not been made aware of the data protection requirements, a breach of regulation 24(1)(a)(i), which has led to the breaches of regulation 41.
On return to the office, you make a referral (see ECSH34205 Intelligence report) to the ICO via the ECS Intelligence gateway for any breaches you’ve identified regarding DPA or GDPR.
Records testing - what to do if a business is reluctant to provide information due to GDPR concerns
Commercial and personal confidentiality are important to businesses and therefore you may encounter some resistance in viewing client lists/records.
During your compliance check, if the business is concerned about data protection and is reluctant to provide customer information to you due to GDPR concerns, you should explain that it’s not a breach as the information is reasonably required for crime and taxation purposes. Remember that this only applies to personal data.
The ICO’s website sets out that businesses are permitted to share data with law enforcement authorities who are discharging their statutory law enforcement functions.
After you have explained this to the business, if you continue to experience resistance, you should request the information and/or documents using a notice under regulation 66 [ECSH71500 MLRs Regulation 66 Power to require information, access or documents]. Remember, as required by regulation 66(4), the power may only be exercised in relation to information or documents which are reasonably required to carry out your compliance check.