Expert: Jonathan Naismith, Exate Technology
Facilitator: Roderic Rennison, Rennison Consulting
The expert from Exate Technology provided an overview of the main issues that financial Intermediaries need to be aware of, as well as the actions that they should consider taking in advance of the GDPR becoming law on 25th May 2018.
Overview of the GDPR
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The GDPR primarily aims to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. When the GDPR takes effect, it will replace the data protection directive (officially Directive 95/46/EC) of 1995. The regulation was adopted on 27 April 2016. It becomes enforceable from 25 May 2018 after a two-year transition period and, unlike a directive, it does not require national governments to pass any enabling legislation, and is thus directly binding and applicable.
Preparation is key
There is now only just under five months before the new Regulation becomes effective on 25th May 2018, and the Information Commissioners Office (ICO) has said that there will be no transition period. In addition, whilst the ICO has set out what is required, it does not set out how this will be achieved. Businesses therefore need to take advice based on their own circumstances.
The following steps will help guide businesses in the preparation for the new environment from 25th May 2018.
Check that the key staff in your organisation know about the GDPR and its impact. GDPR will impact resources – you need to plan and prepare early to try and be compliant.
Information you hold
Document the following details: what personal data you hold, its origin and who it is shared with. You must maintain records of processing activities, updating rights for a networked world.
Communicating privacy information
Review your privacy notices and plan for changes to be GDPR compliant. When you take personal data, it will now be necessary to inform people of your identity and how the data will be used through a privacy notice, as well as explain the lawful basis for processing data and data retention periods.
The GDPR involves the following: The right to be informed; the right of access; the right to rectification; the right to erasure; the right to restrict processing; the right to data portability; the right to object and the right to not be subject to automated decision‐making.
Subject access requests
Plan how you will handle requests: you mostly won’t be able to charge for complying with a request; you have a month to comply; you can refuse or charge for requests that are manifestly unfounded or excessive and you must tell an individual why a request is refused.
Lawful basis for processing personal data
Identify the lawful basis for processing activity in the GDPR, document this and update the privacy notice to explain it. Some individuals’ rights will be modified depending on your lawful basis.
Review how you seek; record and manage consent and if changes need to be made. To do this, you must read the guidance published by the ICO around consent, which must be freely given, specific, informed and unambiguous.
Consider whether you need systems to verify individuals’ ages and obtain parental or guardian consent for data processing activity. There will be special protection for children’s personal data.
Data protection by design/ Data Protection Impact Assessments
Privacy by design will become a legal requirement under the term: ‘data protection by design and by default’. PIAs will become mandatory in some circumstances. A DPIA is required if data processing will result in a high risk to individuals; where a profiling operation is likely to significantly affect individuals or if there are special categories of data being processed.
Data Protection Officers
You must formally designate a Data Protection Officer (DPO) if you are a public authority; an organisation that carries out the regular and systematic monitoring of individuals on a large scale or an organisation which carries out the large-scale processing of special categories of data.
If you operate in more than one EU state, determine the lead data protection supervisory authority and document this. If this applies, you should map out where the most significant decisions about processing are made.
Be aware of the cost of falling foul of the GDPR
Fines can be up to 4% of global turnover at a parent level.
For example, had the Tesco Bank breach come under the GDPR, the fine could have been calculated as follows:
Tesco Bank turnover: £955mn
Tesco plc turnover= £48.4bn
Fine under GDPR= £1.9BN – which would have been bigger than Tesco plc’s annual profit!
There may only now be a matter of months before 25th May 2018 effective date for GDPR to become law but there is still time to take steps to be ready and compliant.
Questions to ask yourself
- Do you know all the applications in your firm that hold Personally Identifiable Information (PII)?
- Do you control who has access to PII?
- Do you track and monitor who has viewed or downloaded PII?
- Can you prove that consent was given prior to processing PII?
- How do your SaaS providers protect the PII that you share with them?
- Do your SaaS providers outsource your data to other firms?
- Can you find and delete all a person’s PII if they request it?
- Do you send PII in emails?
If you cannot answer all these questions and be confident in your systems and controls, you should seek help and take advice - now.