An Age of Consent for Personal Data: Preparing for GDPR
In recent years, many financial services organisations have been preoccupied with preparing for MiFID II and planning for Brexit and the uncertainty surrounding it. Such significant change may have diverted attention from other impending regulation. From 25 May 2018, the EU General Data Protection Regulation (GDPR) comes into effect in the UK, bringing with it the biggest change in data protection law in 20 years.
The GDPR aims to unify data protection law for stored personal data across companies whose businesses are in EU member territories. Under the GDPR, companies will need to be more transparent in how any personal data held on individuals is processed, stored and transferred.
GDPR in brief
The GDPR was adopted by EU member states in 2016 and becomes effective in the UK in May 2018, following a 2-year consultation period during which companies were given notice to establish the necessary data processing practices to comply with the new regulation.
GDPR replaces existing data protection regulation:
- EU Data Protection Directive (95/46/EC) 1995
- UK Data Protection Act 1998 - enacted to bring British law in line with the EU Data Protection Directive
The GDPR is likely to remain binding post Brexit; the UK has agreed to adopt the new data protection regulation into law from May 2018, making it part of the long-term protection of personal data.
With the compliance deadline approaching in May 2018, what should companies who have not yet assessed the impact of GDPR on their data processes be looking at?
Assessing the impact of GDPR on processes and systems
Lawful basis for holding personal data
The GDPR stipulates that personal data processed by companies must be held for reasons that are lawful, fair and transparent. The GDPR targets the protection of stored personal data, affording greater rights to the individual, including children, in how their personal data is processed and shared by companies.
The definition of personal data has been broadened under the GDPR to include additional identifiers for different types of data; this may comprise an individual's genetic, mental, cultural, economic and social data. Companies who process data under these categories must make it clear to individuals the purpose for holding the data at the time that data is collected.
Companies will be required to demonstrate that any personal data held is concise, intelligible and easily accessible. It is therefore prudent to review current data processing practices and clearly document the basis for holding each type of data.
Sensitive data subject to greater controls
The extent to which personal data is controlled has a separate definition of protection under the GDPR when applied to sensitive data. Sensitive data relates to information held in respect of an individual's ethnicity, political bias, religious beliefs, union activities, health history, sexual leaning and any criminal records. Evidence of a greater level of care will need to be applied when processing sensitive data. Valid reasons for holding sensitive data include data that has been supplied with explicit consent, is required under employment law, or is held for medical or legal reasons.
Evidence of consent for holding personal data
The GDPR places additional requirements on companies that hold personal data under the basis of consent, in requiring consent be obtained under clear affirmation of the customer. Companies will need to demonstrate that they have obtained customers' permission for any personal data held. The rules around consent also extend to persons under the age of 16, where the consent of a parent or guardian will be required.
In obtaining consent, companies will need to make it clear to the customer what data is being collected and for what purpose, ensuring that the individual can actively opt-in and give their information freely.
Provisions must also be made to allow customers to withdraw consent for their personal data to be held at any time. Companies must be clear on how personal data can be erased from records where requested by the individual, and demonstrate evidence that the data has been removed.
Internal data controls
The reach of the GDPR extends to internal personnel as well as to customer's personal data.
As a result, the human resources records of any company will be subject to the same level of controls as personal data held on external parties. Companies should look to appoint a Data Controller to assume responsibility for identifying the purpose for processing personal data in-house. The Data Controller should be a legal person, public authority, agency or other body; any of these can become sole or jointly responsible for data control. Where data processing extends across several legal entities, multiple Data Controllers may be required in each business unit and consensus established on how data is to be processed across the organisation.
Responding to Subject Access Requests
Individuals may request access to view any personal data held on them by a company; such requests would be received via a Subject Access Request (SAR). Companies will need to respond to SARs without charging fees, unless the request is 'manifestly unfounded or excessive'. The Data Controller may, for example, charge a reasonable administrative fee if further copies are requested. The request may be made electronically (e.g. by email) and if so, the information should be provided in a commonly-used electronic format, unless requested otherwise.
Responses must enable the individual to understand what information is held about them, how the data is used, as well as the relevant data retention periods and the processes involved in requesting any data corrections. Responses to SARs should be issued within one month of the request, with the option to extend this period for complex requests to 40 days. The Data Controller has the right to withhold the request if there is evidence that disclosing the data would 'adversely affect the rights and freedoms of others'.
Clamp-down on data profiling
A common practice used on company websites is the use of 'tick-box' initiatives to gather customer data, and potentially share that data with interested parties. Such practices, whether deliberate or not, may have resulted in inadvertent sharing of personal information.
The practice of 'profiling' personal data - passing on customers' personal information to interested parties for profit and reuse, will fall foul of the rules under the GDPR; companies whose websites adopt tick-box defaults to gather personal data will need to revise their systems to ensure that customers can actively opt-in to giving their information.
Data processed in non-EU countries
Data processed by financial services companies is likely already to adhere to the UK Data Protection Act 1998 in ensuring data is not inadvertently shared or transferred without suitable security.
The GDPR permits personal data to be transferred to another country or international organisation, subject to compliance with set conditions, including conditions for onward transfer. In a similar way to the current framework, the GDPR allows data transfers to countries whose legal regime is deemed by the European Commission to provide adequate personal data protection. In the absence of a suitable adequacy decision, transfers could be allowed outside non-EU states in limited circumstances, e.g. using standard contractual clauses or binding corporate rules.
Tougher financial penalties for non-compliance
The scale of the GDPR and its impact on companies should not be under estimated. Fines for data breaches attract a new higher limit of 4% of annual global group revenue or €20 million, whichever is the greater.
So how likely are the penalties to be enforced? A recent data security breach by Yahoo would have under GDPR been in the region of $200m which is evidence that companies can be penalised heavily for non-compliance
Under the GDPR, such fines may become more commonplace as individuals are given additional rights to apply private claims for compensation. A move towards greater protection for the individual may even result in similar 'ambulance chasing' techniques that have thrived under PPI claims, where companies who do not have sufficient controls in place or evidence of data protection controls may be penalised financially.
Pathway to GDPR-readiness
The initial challenge for financial services companies preparing for GDPR will be to ensure that all personal data held is lawful, fair and transparent.
1. Establish a project team
The first step towards assessing the impact of GDPR is to establish a project team to understand the impact of GDPR on current data processing practices. Key members would comprise data protection specialists (including DPO, data controllers), legal and systems experts.
2. Review data processes and systems
Current data processing practices should be reviewed to identify the impact of GDPR, and an assessment made of how systems will meet the criteria stipulated by the regulation.
3. Review and document lawful bases for holding personal data
The reasons for holding personal data should be reviewed and the lawful basis clearly documented in data protection policies and procedures, making it clear how customers' personal data is processed and shared.
Where evidence of consent is required but cannot easily be demonstrated, customers may need to be contacted to obtain explicit consent under the GDPR requirements.
4. Appoint data protection personnel
Companies that process high volumes of personal data will need to appoint a Data Protection Officer (DPO) as best practice. The DPO will need to put in place data processes that make it easy to identify non-compliance, as any breach of GDPR rules must be reported within 72 hours, unless proven to be low risk to the individual's rights.
5. Review data processing controls
Data processing takes on greater significance under the GDPR. Processed data needs not only to identify who is captured by the regulation but also to identify any data fields that may be linked, especially where these could be used to extract additional data on an individual. For example, an employee database that uses a unique identifier such as an employee number may present a risk under GDPR where this identifier could be used to access personal data on the employee.
To mitigate risk, firms may choose to appoint a Data Processor alongside the Data Controller or can outsource data processing activity to a third-party under a strict contractual arrangement. Where data processing is not outsourced, the same level of detail must be applied to any internal data processing function, although there is no need for a contractual arrangement. The relationship between the Data Controller and Data Processor must be mapped and clearly demonstrate how data is governed and controlled.
6. Mitigate risk through data separation
The GDPR introduces the concept of 'pseudonymisation' - a method of separating data from direct identifiers such that it is not possible to identify the connection between the data without additional information, which is held separately. This separation of data may significantly reduce the risks associated with data processing; there are clear incentives for Data Controllers to pseudonymize the data they collect as the regulation relaxes several requirements on controllers who use this technique.
7. Review, upgrade and / or optimise systems
The GDPR places greater responsibility for holding personal data onto companies that claim to need that data. The impact of this change means that many systems that hold data for transactions or that are used to make payments will require defined processes that can demonstrate how customers' personal data is being managed.
In addition to suitable data protection processes and controls, companies may need to upgrade existing systems or replace them with more compliant ones. The need for system updates will become more evident as a GDPR-project matures; information on any breaches should be recorded with suitable records retained and steps taken to mitigate recurrence. Tactical solutions can be introduced as a temporary fix; over time, a more robust model may be required to implement the controls required by the regulation.
On the surface, it may appear that the GDPR is weighted in favour of the individual, with increased protection and rights on how personal data is processed and shared. For companies daunted by the prospect of stricter data controls and the scale and impact of GDPR on processes and systems, companies who are prepared for GDPR will benefit from greater consumer trust, reputational gains and mitigate risk of potential financial loss.
Greater clarity on the regulation in the early part of 2018 will further inform the scope of any GDPR project. As the financial services industry embraces the data regulatory changes, better steers will be put forward by industry bodies that develop best practice. The GDPR will no doubt mature beyond the May 2018 deadline and tactical solutions replaced with more robust and efficient management of personal data.
ISC has worked with many large and small asset management companies on the implementation of regulatory requirements including Solvency II, AIFMD and MiFID II. Our regulatory compliance pages hold more information about the support we can offer. ISC Regulatory Compliance Services.