This is the final edition of GDPR Weekly for now, but if you have a question you'd like to ask our experts, please get in touch on email@example.com.
How should an agent consider the GDPR in relation to anti-money laundering regulations?
Bernard George, solicitor for Socrates Training Ltd:
The GDPR has little to do with the anti-money laundering (AML) regulations, save that both are a headache
The AML regulations say you must keep records of the checks you do on your clients from five years from the end of the relationship.
After that you must delete it, unless the client has consented to you keeping it longer.
Jon Baines, data protection advisor at Mishcon de Reya LLP:
Money laundering has long been recognised as an enabler of serious and organised crime, corruption and terrorism. Anti-money-laundering legislation requires estate agents to register with the HMRC, to have in place risk assessment policies, controls and procedures, to undertake customer due diligence and to report suspicious activity.
Much of this compliance work involves the processing and potential disclosure of customer personal data.
However, provided agents have appropriate measures in place to ensure that such information is kept safe, when stored or in transit, they should have no difficulty in complying with the GDPR, which makes clear that where processing of personal data is necessary for compliance with a legal obligation to which the agent is subject, then it will be lawful.
Additionally, the Data Protection Act 2018 provides gateways, and – where appropriate – exemptions to permit to the sharing of personal data in pursuance of AML requirements.
The GDPR team at Mishcon de Reya comprises data protection experts as well as non-lawyer cyber security specialists. If you would like any advice on how to manage GDPR within your organisation, please contact Jon Baines.
Annemarie Proudfoot, head of customer relations at BestAgent:
Anti-money laundering regulations require, among other things, that agents keep records of customer due diligence for five years.
This of course includes identification verification - and the GDPR does not excuse agents’ obligation to comply with AML regulations.
If a customer has requested to be deleted after having performed a transaction, the agent is still required to safeguard AML information, but may not do anything more with the data than store it for AML compliance.
*If you would like to receive further guidance from any of our GDPR experts, please click here.
Angels Media Ltd encourages you to seek additional guidance, including professional legal advice, to ensure that all of your business operations are ready for the GDPR.
Angels Media Ltd Legal Disclaimer:
The information contained here is for general guidance purposes only. It should not be taken for, nor is it intended as, legal advice.
We would like to stress that there is no substitute for making your own detailed investigations or seeking your own legal advice if you are unsure about the implications of the GDPR on your businesses.
While we have made every effort to ensure that the information covered here is correct and up to date, we Angels Media Ltd makes no promises as to completeness or accuracy and the information is delivered on an “as is” basis without any warranties, express or implied.
Angels Media Ltd will not accept any liability for errors or omissions and will not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of or reliance on this information or from any action or decisions taken as a result of using this information.