The much-anticipated and long-awaited General Data Protection Regulation (GDPR) has finally been agreed. The GDPR will replace the Data Protection Act 1998 (DPA) in the UK from 25 May 2018. Although this seems like the distant future, the GDPR represents the biggest shake-up in data protection law for over 20 years.
The changes are likely to require a significant overhaul of data protection practices across the financial services sector and the sanctions for non-compliance are potentially severe.
It is therefore important for lenders to start thinking now about what the new law means for them and what changes will have to be made in order to comply. We consider some of the key changes likely to impact lenders and the practical steps that lenders need to take to prepare for the new regime.
What is changing? The GDPR introduces a new concept of 'data protection by design and by default'. This means that you should not allow data protection to become an afterthought; lenders must incorporate privacy considerations into new projects, which involve the use of personal data right from the outset. The new obligation will be to consider and implement security measures to protect personal data before you even start using that personal data.
Businesses will also have to carry out 'data protection impact assessments' (DPIAs) where the use of personal data poses a high risk to the individuals concerned. This is a risk assessment that allows you to review the privacy risks associated with a particular project and implement solutions to mitigate those risks.
What does this mean for you? Every time a new product, service or project is introduced, data protection will have to form a key part of the project planning process. Lenders should start thinking now about which teams would be best placed to deal with the privacy considerations of new projects and what internal procedures and documentation will need to be put in place to ensure appropriate escalation and handling.
What is changing? Individuals’ rights will be significantly expanded under the GDPR. Some rights remain the same, such as the right of an individual to have inaccurate data corrected. Other rights remain in principle but with changes, such as the right of subject access. Individuals will still be able to request a copy of their personal data from a business, but businesses will no longer be able to charge a £10 fee for responding to a request. They will also have to comply within a month rather than the previous deadline of 40 days.
The GDPR also introduces new rights. In particular, the much-publicised right to be forgotten is crystallised. This will require organisations to delete personal data about an individual without undue delay in certain circumstances. A new right of data portability means that individuals will be able to require their personal data to be transferred from one organisation to another, with the aim of facilitating switching between providers.
What does this mean for you? The new rights introduced will require lenders to have a thorough understanding of where all personal data is held so that it can be easily and quickly retrieved and, if necessary, deleted. Lenders can expect to see an increase in the volume of subject access requests now that these can be exercised for free. Lenders may need to dedicate further resources to dealing with requests to exercise rights, in order to ensure compliance with the short timescales.
What is changing? The information that must be provided to individuals about what an organisation is doing with their personal data is much longer under the GDPR. You will need to ensure that individuals are informed of the legal basis on which their personal data is used, third parties who might receive their personal data, transfers of personal data overseas and much more.
What does this mean for you? This is likely to require a significant overhaul of all privacy notices to ensure they are compliant with the new, stricter requirements. It will also be important for lenders to be able to identify the legal basis on which they can justify processing personal data. This is something that is not often given much detailed thought but will need to be carefully considered under the new law.
What is changing? Under the GDPR, organisations will not be able to make significant decisions about individuals where those decisions have been made entirely by automated means. The exceptions to this are where the decision is necessary for the purposes of entering into or performing a contract, or where the individual has given explicit consent.
What does this mean for you? This is perhaps one of the most concerning changes for lenders as it could have a major impact on the process of making lending decisions. In order to justify making decisions on purely automated means, such as credit checking, you will either need to obtain consent or show that the decision is necessary for a contract. The UK may pass further legislation which might make these processes easier for lenders, but unless and until this happens you should give some thought to how (if at all) you could make these types of decisions with some human involvement.
What is changing? The GDPR introduces an obligation on businesses to notify the regulator (in the UK, the Information Commissioner’s Office (ICO)) of any data breaches. The exception to this is where the breach does not result in a risk to individuals. Breaches will have to be notified within 72 hours after the organisation becomes aware of the breach. High-risk breaches will also need to be notified to the individuals affected.
What does this mean for you? This represents a further administrative burden for lenders, who will need to make sure appropriate internal processes are in place to ensure employees can recognise a breach and escalate it correctly. If third parties are involved in processing personal data, you will need to make sure that they let you know if they suffer a breach and assist you in dealing with that breach. Reputational issues may also come into play if breaches have to be notified to individuals.
What is changing? There are also a range of new obligations, which will have an administrative impact on organisations. Businesses will need to appoint a dedicated “data protection officer” (DPO) where they regularly process personal data on a large scale. There will also be an obligation to keep records of all processing of personal data, including the purposes of processing and the legal basis for processing. Increased accountability means that organisations will need to be able to actively demonstrate compliance with the GDPR.
What does this mean for you? Many lenders are likely to fall within the requirement to appoint a DPO and will need to think about who is appropriate for this role (bearing in mind that the DPO must have expertise in data protection). The obligation to keep records means lenders will need to consider in more detail than ever before what legal justification they have to process data. There will need to be appropriate internal procedures to ensure accurate records are kept across the organisation.
What is changing? One of the most talked-about changes brought in by the GDPR is the massive increase in the maximum level of fine available for breach of the provisions. Currently, in the UK, the ICO can impose a fine of up to £500,000 on an organisation that has committed a serious breach of the DPA. The maximum level under the GDPR will shoot up to the higher of €20million of 4% of annual worldwide turnover.
Individuals will also have a range of other options available to them in the event of a breach by an organisation, such as requiring the ICO to investigate a matter and a statutory right to claim compensation for distress.
What does this mean for you? The revised level of fines demonstrates just how important it is to ensure you are compliant with the new requirements. Particularly for large lenders, 4% of turnover could be a huge figure, which could have significant financial consequences. Even small lenders could potentially face fines which are far beyond what their resources can deal with.
With the GDPR propelling data protection into the media spotlight, it is also likely that individuals will become more aware of their data protection rights. Reputational consequences, which have always been a concern when it comes to data protection, will likely be amplified by this increased awareness.
The level of changes being brought in, and the severe consequences of failing to comply, might seem daunting. Lenders do still have two years in which to reach a compliant position, but the earlier you can start preparing for change, the better.
The first step will be to review all of your current data protection practices and identify where there are gaps that needs to be filled to ensure compliance. Mapping all the personal data you hold will also allow you to see where investment is required in system changes to enable you to comply with the changes. You should consider appointing a dedicated team to carry out these exercises and think about what further staff training will be required to ensure compliance across your organisation.
First published by Mortgage Finance Gazette on 5 July 2016.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at July 2016. Specific advice should be sought for specific cases. For more information see our terms & conditions.