ECSH33575 - Checking record keeping, reliance and GDPR: data protection
Introduction
As part of your compliance intervention, you should check that the business understands its obligations under the UK General Data Protection Regulation (GDPR) and the requirements under the Data Protection Act 2018 (DPA) as shown in regulation 41 of The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017).
For more information see  MLR 2017 regarding data protection.
See also ECSH10500 on General Data Protection Regulation (GDPR) and data retention.
The business바카라 사이트™s data protection obligations
Every organisation that processes personal information must (ICO), unless they are exempt. There is a .
(This content has been withheld because of exemptions in the Freedom of Information Act 2000)
You firstly need to establish if the business is registered with the ICO. The business may have a registration certificate, or they may tell you that they are exempt.
(This content has been withheld because of exemptions in the Freedom of Information Act 2000)
You should also check that the business provides customers as required by  MLR 2017. The business must do this before establishing a business relationship or entering an occasional transaction with a new customer. The way that businesses provide this information might be on either:
- Their website.Â
- An invoice. Â
- The letter of engagement with clients.
- Another method.Â
You should ask them how they provide the information and may need to see evidence of this.
The business must obtain the consent of the customer if it uses any data obtained under MLR 2017 for any other purposes as required by regulation 41(3)(b) MLR 2017. It can바카라 사이트™t do this just by giving notice (it must have expressly obtained consent), so you need to understand if the business uses data in any other way; for example, for marketing purposes.
Non-compliance with data protection requirements
After your discussion with the business concerning data protection, the procedures in place and after the records testing (see ECSH33700), you must consider if there are data protection breaches under MLR 2017. You must consider where the breach lies as there could be corresponding breaches; for example, if training provided to staff does not cover the law regarding data protection relevant to the implementation of MLR 2017, there is a breach of regulation 24 MLR 2017 - see the case study below. You must tell the business that it must correct the breaches without delay.
If you don바카라 사이트™t feel that the business has sufficient knowledge of its data protection obligations, you need to ascertain whether it does at least provide the information of how data is processed to the customers. You then need to ask and test whether the business uses the data collected under MLR 2017 for any other purposes. Ensure that you record the answers as these could evidence breaches. Additionally, you should advise the business to read and understand the information available on the ICO바카라 사이트™s website and sector guidance published on 바카라 사이트.
Do you have evidence that the business is using information provided by customers for purposes other than preventing money laundering, terrorist financing and proliferation financing, for example, marketing of new products without the customers바카라 사이트™ consent. If so, you will need to report this to the ICO; see ECSH34205 Intelligence report.
Case study
During your compliance intervention with an estate agency business (EAB), you check its understanding of data protection obligations under MLR 2017. You ask questions about what information the business provides to its customers about how their data is used for the purposes of MLR 2017 and preventing money laundering, terrorist financing and/or proliferation financing.
You establish that the EAB does not provide its customers with any information or a statement informing them of how their personal data is processed for the purposes of MLR 2017. Additionally, you note that staff give the CDD information to a clerical assistant who adds the customers to their mailing list. The EAB has not obtained the customers바카라 사이트™ consent to use their personal data for marketing purposes.
You tell the EAB that this is a breach, and it must be corrected without delay.
Having established breaches of regulation 41(3)(b) and (6) MLR 2017 during the visit, you consider whether there are any linked breaches and make a note to check what training is provided to relevant staff. After reviewing the training material, you confirm that there is no information regarding data protection and ask the business if any other training has been provided. The EAB tells you that all employees receive GDPR training, but nothing in relation to MLR 2017. You conclude that staff have not been made aware of the data protection requirements, a breach of regulation 24(1)(a)(i) MLR 2017, which has led to the breaches of regulation 41 MLR 2017.
On return to the office, you make a referral (see ECSH34205 Intelligence report) to the ICO via the ECS Intelligence gateway for any breaches you바카라 사이트™ve identified regarding DPA or GDPR.
Records testing - what to do if a business is reluctant to provide information due to GDPR concerns
Commercial and personal confidentiality are important to businesses and therefore you may encounter some resistance in viewing client lists/records.
During your compliance intervention, if the business is concerned about data protection and is reluctant to provide customer information to you due to GDPR concerns, you should explain that it바카라 사이트™s not a breach as the information is reasonably required for crime and taxation purposes. Remember that this only applies to personal data.
The sets out that businesses are permitted to share data with law enforcement authorities who are discharging their statutory law enforcement functions.
After you have explained this to the business, if you continue to experience resistance, you should use the power to require the information and/or documents using a notice under regulation 66 MLR 2017. Remember, as required by  MLR 2017, the power may only be exercised in relation to information or documents which are reasonably required to carry out your compliance intervention.