How to stay compliant with the new Data Protection rules
Considerable data protection changes are on the horizon. What do firms need to do now to stay compliant? Geoff Buck, associate director at DP Pensions, provides insight
Data protection as we know it is changing. And the impact of the changes are considerable. Until now we have come to live by the principles of the Data Protection Act 1998. These rules are to be amended under new EU regulations, the General Data Protection Regulations or ‘GDPR’.
It is important to note that the new rules apply irrespective of the situation with Brexit.
The new regulations take effect from 25 May 2018 but all firms need to consider the changes now and review their policies, procedures and systems. Any changes to these, need to be fully documented.
There are a number of changes to be considered but two of the more significant changes relate to customer consents and reporting requirements. These are considered further below:
Most advisers and providers will have general statements in our literature advising customers that we are Data Controllers and that their data will be used appropriately, lawfully and for its’ correct purpose etc.
Under the new regulations the consent has to be more specific and state with whom you intend to use the data.
Additionally rather than consent implied as now by virtue of signing up to a product with associated terms and conditions, a customer will need to provide a positive indication of agreement to the processing of their data. This could take the form of a tick box next to a statement confirming that they agree to the processing of their data in this way. It will no longer be sufficient to just refer to this.
The guidance states that consent must be able to be verified so records must be kept to confirm how and when the consent was provided. Consent can be withdrawn too so this should also be recorded.
The changed consent requirement affects existing customers as well as new customers so amendments to current literature need to be considered and notifications to existing customers need to be issued. Consideration also needs to be given to pipeline business and business received as the new rules transition across and embed into processes. How will you deal with these cases? How will you get the right consents?
Under the current data protection regime we will all be registered as Data Controllers with the Information Commissioner’s Office (ICO). Only where there is a serious breach of data being placed into the hands of someone it is not intended for does that breach have to be reported. We all know of instances where this has happened and we might even recall some of the media reports of some of the more surprising high level data security breaches.
Under the new regime there is a requirement to report all breaches where there is a risk to the rights or freedoms of the data subject e.g. where the individual is likely to suffer some form of damage such as identity theft or a confidentiality breach. The notification to the ICO must take place within 72 hours. Fines can be levied by the ICO levied against the Data Controller up to a maximum of 20m Euros or 4% of annual worldwide turnover. The new reporting requirement suggests that firms need to consider how they are keeping internal reports of data breaches and the information they hold on those breaches. Is more information required?
‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
‘Processor’ means a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
For more information and to keep abreast of changes and developments visit the Information Commissioner’s Office website at https://ico.org.uk/
The ICO provides 12 steps firms can take now to ensure they comply with the new General Data Protection Report regulations GDPR when they come law in May 2018. Access the ICO booklet here.