The new EU General Data Protection Regulation (GDPR) will take effect on 25 May 2018. Walker Morris’ Louise Power, a specialist in retail financial services litigation and non-executive director of a local building society, Jeanette Burgess and Andrew Northage, specialists in data protection regulation and compliance, explain why mutuals need to get to grips with the new regime and the practical steps they should be taking now.
A new regime for all
The existing data protection regime is now some 20 years old and technology has advanced significantly since it came into force in the late 1990s. The GDPR therefore aims to harmonise data protection legislation by the creation of an EU-wide single legal framework; to recognise and embrace technological advances for businesses (in accordance with the EU’s Digital Single Market Strategy); and to strengthen citizens’ fundamental data protection rights.
The GDPR will have direct effect in all EU Member States (i.e. it will apply directly in all Member States without the need for any implementation legislation at national level) from 25 May 2018.
Whilst the UK voted to leave the EU on 23 June 2016, the UK will continue to be a Member State, bound by applicable EU laws, for two years from the date a trigger notice is served by the UK Government pursuant to Article 50 of the Treaty on the European Union.
As an Article 50 notice has not yet been served, the GDPR will almost certainly come into force before the UK leaves the EU, which means that UK businesses will be subject to the GDPR for several months before “Brexit”.
Even following a Brexit, due to the expanded territorial scope of the GDPR, UK businesses which offer goods or services to EU data subjects or which monitor EU data subjects’ behaviour will be subject to the GDPR.
It is also likely that post-Brexit, the UK will adopt legislation that closely mirrors the GPDR in order to ensure that it is a safe third country, so that EU organisations can continue to transfer EU personal data to the UK.
Being responsible data controllers, building societies and other businesses operating in the retail financial services industry should starting getting to grips with the new data protection regime now.
Key messages for mutuals
This article provides a brief overview of the key changes introduced by the GPDR, including those that will be of particular relevance to building societies and other retail lenders, brokers and financial advisors.
- Increased enforcement powers. The maximum fine for a data protection breach in the UK is currently £500,000. Under the GDPR, however, there will be a two-tier system:
- fines of up to 2% of annual global turnover or €10 million, whichever is the greater, for violations relating to certain administrative data protection failings; and
- fines of up to 4% of annual global turnover or €20 million, whichever is the greater, for violations relating to certain more fundamental failings, such as breaches of data protection principles, breaches of data subject rights, and so on.
- Record keeping. Instead of registering with the Information Commissioner’s Office (ICO) on an annual basis, the GDPR will require businesses to maintain detailed records regarding their data processing activities.
- Data protection officers (DPOs). The GPDR will require businesses whose core activities involve either the monitoring of data subjects on a large scale or the processing of special categories of data (i.e. sensitive personal data) on a large scale to appoint a DPO, who must be an expert in data protection law.
- Privacy by design and by default. The GDPR contains new rules which require businesses to implement data protection both by design (for example, building-in data protection safeguards when creating new products, services or other data processing activities); and by default (for example, by minimising the amount of data held/processed). There is also a new requirement for businesses to carry out data protection impact assessments to identify privacy risks in new products.
- Data breaches. There will also be a new obligation on organisations to notify data breaches to the ICO without undue delay and where feasible within 72 hours of becoming aware of the breach.
- Security and pseudonymisation. Building societies will already implement certain data security measures. The GPDR builds upon this and requires both controllers and processors to implement appropriate technical and organisational measures to ensure a level of security that is appropriate to the risks involved in the processing of personal data. The measures required of financial services firms are likely to be significant, based on their handling and storage of customers’ sensitive financial data.
- Encryption technology is already a fairly commonplace tool for addressing data security, but the GPDR also introduces the concept of ‘pseudonymisation’, also known as ‘keycoded data’. This is where although data has been anonymised, individuals can still be identified through the use of a ‘key’. For example an anonymised list of employees which includes national insurance numbers – knowing which national insurance number belongs to which employee will enable the individuals to be identified.
- Enhanced data protection rights for individuals. Building societies and others operating within the retail financial services sector also need to be aware of, and to comply with, the enhanced rights afforded to individual customers under the GDPR. These include:
- Right to be forgotten. Individuals are entitled to have their personal data erased in certain circumstances (for example where the data is no longer necessary in relation to the purpose for which it was collected; where the individual withdraws consent; where the data has been unlawfully processed etc). Where a business removes data pursuant to this right ‘to be forgotten’, the business also has a duty to inform others to whom they have passed the data of the erasure request.
- Right to object to profiling. This is the right for individuals not to be subjected to wholly automated processing for the purposes of evaluating personal aspects such as health, personal preferences, behaviour and movements. Individuals are also able to object to decisions made based solely on automated profiling. This could have implications for some credit check and underwriting procedures.
- Right to data portability. Individuals have the right, in certain circumstances, to receive their data in a structured, commonly used and machine-readable format in order to transfer that data to another controller without hindrance. This is likely to be relevant for account-switching, re-mortgaging and the like. Building societies should consider collaborating with other data controllers to develop smooth and efficient procedures for dealing with data transfer requests.
- Changes to Subject Access Requests (SARs). The information that individuals can request pursuant to a SAR has been expanded to include the purposes of the processing; the categories of data held; the envisaged period for which data will be stored; the recipients or categories of recipient to whom the data has been or will be disclosed; the sources from which the data originates; the existence of automated decision-making/profiling and the logic involved; and the safeguards in place relating to any transfer of data to a third country or international organisation.
- The time frame for complying with a SAR will also reduce from 40 days to one month and in most cases it will no longer be possible to charge a fee for providing the requested information.
- Responses to SARs should be concise, transparent and in easily accessible form in clear and plain language.
- The ICO has suggested that for organisations which receive large volumes of SARs, they should consider carrying out a cost/benefit analysis of providing customers with access to their personal data online.
- Consent for data processing. Under the GDPR it will be more difficult to obtain consent for data processing. The GDPR requires that consent must be freely given, specific, informed, unambiguous and demonstrated either by a statement or a clear affirmative action. The GDPR also requires that it must be as easy for a data subject to withdraw consent as to give it.
- New obligations for data processors – For the first time, the GPDR introduces direct obligations for data processors, which will be enforced by the levying of fines and other penalties. Data processors will also be liable to compensate individuals whose rights have been infringed.
Whilst the GPDR means greater consistency across the EU in data protection rules and regulation, which should be a good thing for both businesses and individuals, it is also likely to mean greater scrutiny, by customers and by regulators and greater administrative pressures on building societies and others within the retail financial services sector.
As the Information Commissioner himself has said, in light of the new increased fines, there are now 20 million reasons for organisations to get compliance with the GDPR right. The key to which is ensuring that organisations understand in detail how they currently deal with personal data. The best way to do this is to carry out a full information audit which should include a review of:
- what personal data is collected;
- where it is collected from, how and why;
- where the data is stored;
- what security measures are in place to protect the data;
- how it is processed and for what purposes;
- whether the data is transferred to third parties, if so where are they located and what are they doing with the data;
- how long is data kept for;
- what consents are obtained for processing;
- what procedures are currently in place for dealing with SARs;
- any existing privacy notices; and
- existing contractual arrangements in light of the new data processor obligations.
The results of the information audit should be documented and a gap analysis performed to identify where action needs to be taken to bring processes into line with the GDPR’s requirements. An information audit is a worthwhile investment as it will form the basis of the documentation that organisations will need to keep in respect of their data processing activities.
Although the GDPR will not come into force for nearly two years, there is a lot for organisations to do in order to ensure that they are compliant with the new regime on 25 May 2018. In the words of the Information Commissioner “Don’t panic, be prepared” and the ICO has already published its 12 step guidance to help organisations begin the process. The ICO is also due to publish further guidance in a number of areas by the end of the year, so it is important for organisations to keep up to date with developments. Walker Morris will be monitoring and publishing updates as and when more information becomes available.
If you have any queries or concerns relating to the GDPR, or if you would like advice and assistance with undertaking an information audit, please do not hesitate to contact Louise Power, Jeanette Burgess or Andrew Northage, who will be very happy to help.