Theresa May’s speech to the great and good assembled at the recent World Economic Forum in Davos tackled key topical issues such as big data, the responsibilities of technology companies and online abuse. These are significant areas of concern which will prevail for some time. Indeed, the upcoming General Data Protection Regulation (GDPR) legislation will have a significant impact on the legal landscape, which lenders and companies will have to navigate.
The GDPR will apply from 25 May 2018 and will introduce significant changes for data protection in the UK, with new obligations and sanctions placed on lenders and companies alike. It is designed to enhance data protection for individuals and address issues with the transfer of personal data outside of the EU.
A new bill, which implements and supplements the GDPR in the UK, will replace the Data Protection Act 1998 (the “DPA”) which is currently in force. According to the Minister of State for Digital this will give the UK “one of the most robust…set of data laws in the world…and prepare Britain for Brexit”. The new bill is currently having its first reading in the House of Commons.
There are many similarities between the GDPR and the DPA and this article does not propose to list and explore each individual change which the GDPR will impose. Instead, whilst current compliance with the DPA will stand lenders in good stead in complying with the GDPR, this article aims to highlight some key areas which organisations can consider and review prior to 25 May 2018.
In the run up to 25 May 2018, the data protection authorities and the Department for Digital, Cultural, Media and Sport have been considering how best to implement the GDPR into associated UK legislation. It is expected that additional guidance will be issued by these sources in due course. In the meantime, the Information Commissioner’s Office (the “ICO”) has issued advice on what institutions can do to prepare for the GDPR coming into force.
To start with, the ICO recommends that organisations undertake an information audit prior to 25 May 2018. The GDPR requires organisations to maintain a record of their processing activities, with accountability written into the GDPR as a legal obligation. It is an active obligation, not a passive one. As such, organisations are strongly recommended to be aware of the personal data which they currently hold and have an awareness of the type of personal data that they will continue to acquire going forward.
There is also an obligation on organisations who share personal data which subsequently turns out to be incorrect, to inform anyone with whom the organisation has shared the incorrect information with that the information is in fact incorrect. Again, this requires an awareness of the personal data which is held and who it is shared with. This will be particularly important in the context of the broker/lender relationship.
Considering the high level of personal data which financial institutions (be it banks, building societies, money lenders and so on) hold, undertaking an information audit would be a sensible exercise over the coming months.
Whilst lenders will generally have procedures already in place to avoid data breaches, data protection breaches can still occur. From 25 May 2018, data controllers will be under a duty to notify serious data protection breaches without undue delay, and where possible within 72 hours. Data protection breaches will need to be reported to the ICO where it is likely to cause the rights and freedoms of individuals to be at risk.
In light of the tight deadline to report breaches to the ICO, organisations may want to start reviewing their existing reporting procedures and streamline these, where possible, to ensure that they meet the additional requirements imposed by the GDPR.
The obligation to report breaches to the ICO should not be taken lightly, as failing to do so would likely result in a fine – the ICO will be given more power to issue higher fines of up to £17 million or 4 per cent of global turnover for the most serious data breaches.
The GDPR formalises the need for Privacy Impact Assessments (“PIA”), which had previously just been considered good practice. These assessments are referred to the GDPR as “Data Protection Impact Assessments” (“DPIA”) and are needed when high risk processing takes place, at which point a lender will need to identify and evaluate any risks and determine how such risks can be reduced. The need to carry out such assessments will now be a legal requirement. Organisations should therefore formalise their procedures for DPIA’s and ensure that they have individuals who are trained to carry out DPIAs.
The GDPR is being implemented in the UK in the wake of the decision to leave the European Union. Whilst the UK will leave the EU after the GDPR comes into force, a level of stability in relation to data transfer with both EU and non-EU Member States going forward will be key to a smooth transition out of the EU and will be something that the UK government will likely be keen to maintain.
If anything, Brexit therefore makes it more important to ensure a level of data protection stability is maintained in the years to come, especially for financial institutions, in the wake of the UK putting itself forward as a financial hub. The ICO, along with other government institutions, is still providing guidance on the implementation of the GDPR. Organisations should therefore continue to review their processes and keep an eye out for additional guidance in the coming months.
It has already been observed that data is the oil of the 21st century and considering the significant potential impact of the GDPR, companies would be well advised to listen to what the Prime Minister has to say.