GDPR: data needs to be in safe hands
0 likes22 views
The General Data Protection Regulation (GDPR) will be enforced in the EU from May 25, 2018, impacting how businesses handle individuals' data, replacing both the UK's Data Protection Act and enhancing consumers' rights regarding data consent and usage. Organizations must adapt to stricter data processing requirements and face significant fines up to £20 million or 4% of global revenue for non-compliance. The regulation necessitates clear definitions of roles regarding data controllers and processors, as well as a comprehensive understanding of personal data within fragmented value chains, particularly in sectors like mortgage lending.
GDPR: data needs to be in safe hands
- 1. GDPR – data needs to be in safe hands 6 The General Data Protection Regulation (GDPR), due in April of next year, will govern how businesses process individuals’ data across all EU member countries, eventually replacing the UK’s Data Protection Act. Unlike the current regime, the Regulation will be imposed directly onto the countries’ legal systems, rather than leaving them free to enforce it under their own national legislation. The General Data Protection Regulation (GDPR), due to come into force on 25 May 2018, will govern how businesses process individuals’ data across all EU member countries. It will replace the UK’s Data Protection Act and be enacted in the UK regardless of Brexit. The regulation will raise the bar in terms of the processes surrounding how companies collect, use and store data. The changes present organisations with some very tough challenges indeed. Decades of transactional legacy systems (often held together by makeshift processes) must now reflect a regulatory focus on personal data that is end-to-end. Consumers will have the right to opt out of being profiled according to their interests and behaviour unless they have previously consented or it is required in the terms of a contract with a company. Companies will also need to give specific and clear information on how personal data will be used. GDPR sets a higher standard for consent compared to previous legislation, with consent requiring ‘clear affirmative action’ by consumers. This can include ticking a box on a website but silence, pre-ticked boxes and inactivity do not constitute consent. Therefore, individuals will be able to exercise enhanced rights including the ‘right to be forgotten’, and the ‘right of data portability’. The risks to lenders (and other owners and processors of personal data) of GDPR failures are significant. These increased compliance requirements are backed by heavy financial penalties. The top tier of fines that can be imposed is up to £20m or 4% of annual worldwide turnover, whichever is greater. The fines apply to infringements of the basic principles for processing, including conditions for consent, data subjects’ rights, the conditions for lawful international data transfers, specific obligations under national laws permitted by the GDPR, and orders by data protection authorities including suspension of data flows. Individuals will also be able to sue entities for compensation, if they are distressed by acts of non-compliance. This has, of course, always been possible, but organisations should prepare themselves for the fact that under GDPR, claims frequency may increase. The landmark judgment of the Court of Appeal in Vidal Hall & Ors v Google Inc signalled the dawn of a new beginning for data protection litigants. Prior to this case, the law in England was relatively settled: that in order to incur civil liability under the Data Protection Act 1998, the claimant had to establish at least some form of pecuniary damage (unless the processing related to journalism, art or literature). However, the removal of Section 13(2) of the Data Protection Act has opened the door very much wider to claims as the vast majority of data breaches will cause little or no pecuniary loss; they go to privacy intrusion, or in other words, distress. Claims have certainly increased since Vidal-Hall and will be only likely to continue now the Supreme Court will not be overturning the decision. All this presents some massive challenges to fragmented value chains such as those involved in mortgage lending. From the broker to the network, to the lender to the valuer, conveyancer and back again, there are many hand-off points of personal data that will require clarification of process and responsibility. The roles of the Data Controller, an entity that determines the purposes and means of processing personal data, and the Data Processor, anyone processing personal data on behalf of the Controller, will need to be clearly understood. Equally understanding what is personal data and what is not will be a challenge. The key point is that if data can identify an individual it is personal. This means property data may remain outside of the scope however, any instruction to visit a property will involve handling an individual’s contact details and at this point this data will become personal.
- 2. Key changes to EU data protection introduced by the GDPR – More rigorous requirements for obtaining consent for collecting personal data. – Raising the age of consent for collecting an individual’s data from 13 to 16 years old. – Requiring a company to delete data if it is no longer used for the purpose it was collected. – Requiring a company to delete data if the individual revokes consent for the company to hold the data. – Requiring companies to notify the EU government of data breaches in 72 hours of learning about the breach. – Establishing a single national office for monitoring and handling complaints brought under the GDPR. – Firms handling significant amounts of sensitive data or monitoring the behaviour of many consumers will be required to appoint a data protection officer. – Fines up to £ 20m or 4% of a company’s global revenue for its non-compliance. Andrew Bickell, Vice President Global Professional & Financial Risks A division of Lockton Companies LLP Andrew Bickell, a Senior Vice President at Global Professional & Financial Risks, a division of Lockton Companies LLP, explains, ‘PII has the potential to provide indemnity for legal liability arising from a GDPR breach, but only where a claim is made by a third party, and provided the claim arises in consequence of the provision of professional business. Additionally, PII may cover 80% of defence costs relating to any statutory proceedings against the Insured relating to a GDPR breach, provided defending such proceedings could protect the Insured (in the reasonable opinion of Insurers) against any claim from professional business undertaken by the Insured. For all companies in this chain, specialist Cyber Insurance can be structured to offer broad protection including, in the event of a loss of data, cover for the costs incurred in a investigation by the Information Commissioners Office. While PI will offer some coverage in the event of a network breach, it does not cover elements specifically undertaken by Cyber Insurance, such as breach response services, the restoration of data lost and any potential business interruption loss of revenue of additional increase cost of working. Importantly, in the event of a breach, cyber insurance will cover notification costs and legal advice on how to best undertake the notification. Further, breach responses services include IT forensics to help diagnose and fix a network incident and PR consultants to prevent further reputational damage. PI coverage does not include these first party expenses, only responding when a third party claim is made against the Insured. Andrew believes there is a considerable amount of work to be done. ‘In summary, it is likely valuation companies are going to need both types of cover. Those engaged in valuations and private general practice work should already have both policies in place. This legislation is bringing that rigour to the entire supply chain. Processes and cover will require a forensic overhaul.’