New general data protection regime: The countdown has started, will you be ready?Print publication
With less than 20 months to go until the new EU General Data Protection Regulation (GDPR) takes effect on 25 May 2018, Walker Morris’ Louise Power, a specialist in retail financial services litigation and non-executive director of a local building society, and Jeanette Burgess and Andrew Northage, specialists in data protection regulation, explain what the changes mean for lenders and why it’s important to implement a compliance strategy now.
A new regime for all
The existing data protection regime is now some 20 years old and technology has advanced significantly since it came into force in the late 1990s. The GDPR aims to harmonise data protection legislation by the creation of an EU-wide single legal framework, to recognise and embrace technological advances for businesses (in accordance with the EU’s Digital Single Market Strategy) and to strengthen citizens’ fundamental data protection rights.
The GDPR will have direct effect in all EU Member States (i.e. it will apply directly in all Member States without the need for UK legislation to enact it) from 25 May 2018. Theresa May’s announcement at the Conservative Party Conference that the formal process for the UK to leave the EU will be triggered by the end of March 2017 means that the UK looks set to “Brexit” sometime in the first half of 2019, approximately a year after the GDPR comes into force. Until Brexit occurs, the UK will continue to be a Member State, bound by applicable EU laws, including the GDPR.
Even after Brexit, UK lenders will almost certainly have to continue to comply with GDPR. Due to the expanded territorial scope of the GDPR, UK organisations which offer goods or services to EU data subjects or which monitor EU data subjects’ behaviour will be subject to the GDPR.
Elizabeth Denham, the UK’s new Information Commissioner has also told the BBC Radio 4’s PM programme that she doesn’t “think Brexit should mean Brexit when it comes to standards of data protection…The UK is going to want to continue to do business with Europe…In order for British businesses to share information and provide services for EU consumers, the law has to be equivalent…The UK was very involved in the drafting of the regulation – it will likely be in effect before the UK leaves the European Union – so I’m concerned about a start and stop regulatory environment“.
The general consensus is that the GDPR is here to stay and that UK lenders need to make sure that their policies and procedures, as well as their systems and processes, are compliant.
Crucially, there is no transitional period. When the GDPR comes into force on 25 May 2018, UK lenders must comply with the new regime from that date. This means that the countdown has started and UK lenders have less than 20 months to develop and implement a compliance strategy.
As responsible data controllers, lenders and other businesses operating in the retail financial services industry should be getting to grips with the new data protection regime, and implementing their compliance strategies now.
What do the changes mean for mortgage lenders?
The key changes introduced by the GDPR, including those that will be of particular relevance to retail lenders, brokers and financial advisors, are explained below.
Increased enforcement powers
The maximum fine for a data protection breach in the UK is currently £500,000. Under the GDPR, however, there will be a two-tier system which will introduce:
- fines of up to 2% of annual global turnover or €10 million, whichever is the greater, for violations relating to certain administrative data protection failings; and
- fines of up to 4% of annual global turnover or €20 million, whichever is the greater, for violations relating to certain more fundamental failings, such as breaches of data protection principles, breaches of data subject rights, and so on.
Instead of registering with the Information Commissioner’s Office (ICO) on an annual basis, the GDPR will require organisations to maintain detailed records regarding their data processing activities.
This will also mean that organisations will no longer have to pay the annual notification fee. However, as 80% of the ICO’s income is funded by the notification fee, there is currently a question mark over how this shortfall in funding will be met. Several options have been mooted, including introducing an annual “information rights” fee which would be calculated by reference to an organisation’s size and the amount of data that it processes, or following the Spanish model which would see the ICO funded by the fines which it imposes. Depending on the funding model which is adopted, this may have budgetary implications, so lenders will need to watch this space.
Enhanced data protection rights for individuals
The GDPR will also introduce new rights for individuals, including:
- Changes to Subject Access Requests (SARs). The information that individuals can request pursuant to a SAR has been expanded, whilst the time frame for complying has been reduced from 40 days to one month and in most cases it will no longer be possible to charge a fee for providing the requested information. The ICO has suggested that for organisations which receive large volumes of SARs, they should consider carrying out a cost/benefit analysis of providing customers with access to their personal data online.
- Right to be forgotten. Individuals are entitled to have their personal data erased in certain circumstances (for example where the data is no longer necessary in relation to the purpose for which it was collected; where the individual withdraws consent; where the data has been unlawfully processed etc). Where an organisation removes data pursuant to this right ‘to be forgotten’, it must also inform others to whom they have passed the data of the erasure request.
- Right to object to profiling. This is the right for individuals not to be subjected to wholly automated processing for the purposes of evaluating personal aspects such as health, personal preferences, behaviour and movements. Individuals are also able to object to decisions made based solely on automated profiling, which could have implications for some credit check and underwriting procedures.
- Right to data portability. Individuals have the right, in certain circumstances, to receive their data in a structured, commonly used and machine-readable format or to require lenders to transfer that data to another data controller without hindrance. This is likely to be relevant for account-switching, re-mortgaging etc.
These new rights have a number of practical implications for lenders. For example, there appears to be no requirement for individuals to make any of the above requests in writing, so lenders will need to ensure that their customer facing teams are able to recognise SARs and other requests and deal with them appropriately. Who will be responsible for responding to the requests and do lenders have sufficient resources to deal them? Unless managed properly, responding to such requests could be costly in terms of staff and management time and, if mistakes are made, in terms of customer relations, reputation and potential fines from the ICO.
Data protection officers (DPOs)
Under the GDPR, appointment of a DPO (who must be an expert in data protection law) will be mandatory for organisations whose core activities involve either the monitoring of data subjects on a large scale or the processing of special categories of data (i.e. sensitive personal data) on a large scale to appoint.
Privacy by design and by default
The GDPR introduces a new concept of privacy by design and default which is intended to ensure that data protection is embedded within organisations and that privacy issues are taken into account as a matter of course. The new rules require organisations to implement privacy both by design (for example, building-in data protection safeguards when creating new products and services or other data processing activities) and by default to ensure that the minimum amount of data is processed.
There will also be a new obligation on organisations to notify data breaches to the ICO without undue delay and where feasible within 72 hours of becoming aware of the breach.
Security and pseudonymisation.
Lenders will already implement certain data security measures. The GDPR builds upon this and requires both controllers and processors to implement appropriate technical and organisational measures to ensure a level of security that is appropriate to the risks involved in the processing of personal data. The measures required of financial services firms are likely to be significant, based on their handling and storage of customers’ sensitive financial data.
Encryption technology is already a fairly commonplace tool for addressing data security, but the GDPR also introduces the concept of ‘pseudonymisation’, also known as ‘keycoded data’. This is where although data has been anonymised, individuals can still be identified through the use of a ‘key’. For example an anonymised list of employees which includes national insurance numbers – knowing which national insurance number belongs to which employee will enable the individuals to be identified.
The importance of getting security right is highlighted by the record fine of £400,000 which the ICO has recently imposed on TalkTalk. In October 2015, cyber attackers were able to exploit technical weaknesses in TalkTalk’s systems to access the personal data of 156,959 customers including the bank account details of 15,656 customers. The ICO said:
“TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease…Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action…Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers“.
Consent for data processing
Under the GDPR it will be more difficult to obtain consent for data processing. The GDPR requires that consent must be freely given, specific, informed, unambiguous and demonstrated either by a statement or a clear affirmative action. The GDPR also requires that it must be as easy for a data subject to withdraw consent as to give it.
New obligations for data processors
For the first time, the GDPR introduces direct obligations for data processors, which will be enforced by the levying of fines and other penalties. Data processors will also be liable to compensate individuals whose rights have been infringed.
Whilst the GDPR means greater consistency across the EU in data protection rules and regulation, which should be a good thing for both businesses and individuals, it is also likely to mean greater scrutiny, by customers and by regulators and greater administrative pressures on lenders and others within the retail financial services sector.
As the former Information Commissioner Christopher Graham said, in light of the new increased fines, there are now 20 million reasons for organisations to get compliance with the GDPR right.
As easy as 1, 2, 3?
The key to compliance for lenders is:
- ensure you understand in detail how you currently deal with personal data;
- ensure you understand how the new requirements will impact your business; and
- develop a comprehensive compliance strategy including an implementation timetable to ensure that you are ready for 25 May 2018.
Step 1 – full information audit
The best way to understand how you currently deal with personal data is to carry out a full information audit which should include identifying what personal data is collected, how it is processed, where it is stored, the security measures which are in place to protect the data and how long data is retained.
The report produced from the audit will also form the basis of the records that lenders are required to maintain in respect of their data processing activities.
Step 2 – gap analysis
The results of the audit should also enable lenders to perform a gap analysis to identify where changes are required to bring policies, procedures, processes and systems into line with the GDPR’s requirements.
Step 3 – compliance strategy
The outcome of the information audit and the gap analysis should form the building blocks of the business’ GDPR compliance strategy. As changes to systems and processes can require a significant lead-in time, it is important that the strategy includes a timetable to ensure that businesses are able to meet the deadline of 25 May 2018.
With less than 20 months to go, lenders need to start implementing their strategy as soon as possible.
How much lenders will need to do to bring their existing practices into line with the GDPR will depend, to a large extent, on how compliant they are with the current regime. Some lenders will have more to do than others but, in the words of the former Information Commissioner, “Don’t panic, be prepared“. Following our 3-step process will set you off on the right foot and the ICO is due to publish further guidance in a number of areas by the end of the year. Walker Morris will be monitoring and publishing updates as and when more information becomes available.
This article only provides a very brief overview of some of the key changes taking place under the GDPR. If you have any queries or concerns relating to the GDPR, or if you would like advice and assistance with undertaking an information audit or implementing a compliance strategy, please do not hesitate to contact Louise Power, Jeanette Burgess or Andrew Northage at Walker Morris, who will be very happy to help.