GDPR digest - tmaclub.com · ARE YOU GDPR READY? {More than a MORTGAGE CLUB} GDPR digest

11
ARE YOU GDPR READY? {More than a MORTGAGE CLUB} GDPR digest

Transcript of GDPR digest - tmaclub.com · ARE YOU GDPR READY? {More than a MORTGAGE CLUB} GDPR digest

A R E Y O U G D P R R E A D Y ?

{More than a MORTGAGE CLUB}

GDPR digest

contents. at a glance

ICO Helpline

Principles

Privacy by design

Lawful basis for processing

Privacy Electronic Communications Regulations - PECR

Documentation

Encryption

Physical security

Breaches

Data controllers and third party processors

Individual rights

Privacy impact assessments

So in summary...

ICO practical guidance

Customer Privacy notice and E-Marketing customer consent templates

CPD - online tests

INTRODUCT IO N .

3

Keep calm and prepare for the GDPR.

Over the course of this bulletin we will highlight some key areas that you should be aware of to assist you in complying with the GDPR. We will keep it as simple as possible, yet still provide the detail if required by providing various links towards the end of this document for your reference (ICO Practical Guidance).

As a reminder, the GDPR comes into force 25 May 2018; it replaces the Data Protection Act and was designed to harmonise data privacy laws across Europe.

In the course of providing mortgage and protection advice, your business will control or process vast quantities of personal data relating to customers.

Personal data doesn’t just relate to customers of your business either. If you are an employer, your employees’ personal data is also subject to GDPR requirements.

Furthermore, there are additional requirements in relation to personal data which is classed as sensitive, i.e. health records, racial or ethnic origin, political opinions or trade union membership – this is known as “Special Category” data.

Under the GDPR you will have significantly more legal liability if you are responsible for a data breach.

so what do i need to do?As a starting point, you should be reviewing:

Your grounds for controlling or processing special category data and;

Your privacy notices for customers and the basis upon which you undertake your marketing activities and;

Your data security controls

some important questions to ask yourself:

Have I documented what data I hold and where?

Is it secure? How do I know?

On what grounds is it legitimate for me to make contact with my customers?

If there is a data breach, what are my reporting procedures?

Be disciplined with your data – have I given customers the option to ‘opt-out’ of receiving marketing from me and recorded that fact?

What if I lost my laptop or USB stick?

It goes without saying that you must take time to become familiar with the subject, be in control and be aware.

4

ico helpline. The Information Commissioner’s Office (ICO) launched a dedicated advice line in March 2018 to help small organisations prepare for the GDPR.

The phone service is aimed at people running small businesses or charities and recognises the particular problems they face getting ready for the new law.

People from small organisations should dial the ICO helpline on 0303 123 1113 and select option 4 to be diverted to staff who can offer support.

Processed lawfully, fairly and in a transparent manner in relation to individuals.

Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered to be incompatible with initial purposes.

Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

principles. Under the GDPR, the revised data protection principles set out the main responsibilities for businesses as follows - personal data shall be:

Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and

Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organsiational measures.

The Data Controller shall be responsible, and be able to demonstrate compliance with the aforementioned principles.

5

privacy by design. Privacy by design is an approach to projects that promotes privacy and data protection compliance from the start. Unfortunately, these issues are often bolted on as after-thoughts or ignored altogether.

Although this approach is not a requirement of the Data Protection Act, it will help businesses comply with their obligations under the legislation.

The ICO encourages businesses to ensure the privacy and data protection is a key consideration in the early stages of any project, and then throughout its lifecyle.

For example when:Building new IT systems for storing or accessing personal data;

Development legislation, policy or strategies that have privacy implications;

Embarking on a data sharing initiative or;

Using data for new purposes

Implementing a ‘‘privacy by design’’ approach is an essential tool in minimising privacy risks and building trust. Designing projects, processes, products or systems with privacy in mind at the outset can lead to several benefits, i.e. potential problems are identified at an early stage, when addressing them will often be simpler and less costly.

lawful basis for processing.Under the GDPR, the processing of personal data can only take place if one or more of the following ‘‘lawful conditions’’ are satisfied.

Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

Legal obligation: the processing is necessary for you to comply with the law.

Vital interests: the processing is necessary for you to protect someone’s life.

Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

6

Consent is one of the most commonly used conditions under data protection laws but has become more tougher under GDPR, hence why there are other alternative options that may be suitable for your business, i.e. Contract and/or Legitimate Interests.

Whatever you decide, you must determine your lawful basis (as well as the purpose) before you begin processing, and you should document this in your Customer Privacy Notice.

If you are processing special category data then ordinarily you need to satisfy one or more of several other conditions, i.e. explicit consent - this requires a very clear and specific statement of consent, for example ticking a box.

The draft Data Protection Bill (reflecting GDPR requirements) currently going through its parliamentary stages should, when it becomes law, provide an exemption from the need to obtain prior explicit consent to processing health information where it is required for the purposes of advising upon, arranging or providing protection advice. You should make sure you can rely on this exemption if and when it becomes law.

The same principle also applies to information relevant to past criminal convictions, which is usually an underwriting requirement in buildings and contents insurance. The reason is that there is a substantial public interest to customers having protection and general insurance, and therefore explicit prior consent to processing should not act as a barrier to obtaining such insurance.

Using a Customer Privacy Notice, your sales process will need to include clear explanations on data processing to position what you propose to do with individual’s personal data.

privacy electroniccommunications regulations - pecr.

As well as the GDPR, The Privacy and Electronic Communications Regulations 2003 (PECR) sit alongside the current Data Protection Act. They give people specific privacy rights in relation to electronic communications.

PECR is not new but just sets out some extra rules for electronic communications. You must still comply with the Data Protection Act/GDPR as well.

Naturally, there is some overlap, given that both aim to protect people’s privacy. Complying with PECR will help you comply with the Data Protection Act/GDPR, and vice versa - but there are some differences and you must make sure you comply with both.

PECR restrict unsolicited marketing by phone, fax, email, text, or other electronic message.

You will often need specific consent to send unsolicited direct marketing especially if you do so by email or automated telephone calls. The best way to obtain valid consent is to ask customers to tick opt-in boxes or provide a signature confirming they are happy to receive marketing calls, texts or emails from you.

You should keep clear records of what a person has consented to, and when and how you got this consent, so that you can demonstrate compliance in the event of a complaint.

Remember that the customer is entitled to withdraw their consent or ‘‘opt out’’ at any time.

https://ico.org.uk/for-organisations/guide-to-pecr/what-are-pecr/.

7

documentation.You need to make sure that you have in place a record of your processing activities - improving your controls will help to demonstrate compliance with principles and concept of privacy by design.

Documenting your processing activities is important, not only because it is itself a legal requirement, but also because it can support good data governance and help you demonstrate your compliance with other aspects of the GDPR.

The ICO call this ‘‘documentation’’ and you may be required to make the records available to the ICO on request.

We suggest you carry out an internal audit to determine:

What data your business holds?

Where is it kept?

Where did it come from?

What do you do with this data?

Do you hold sensitive data, i.e. race, religion, sexual orientation or health?

Who do you share it with?

Identify how long you keep it for?

Is it protected (password protected/security software/encryption)?

Then document this information as thoroughly as possible ideally in electronic form, i.e. an excel sheet with several relevant fields (see points to the left) so you can add, remove and amend information as necessary.

It is also best practice to keep a record of your Customer Privacy Notice, any data breaches and any contracts you may have with third parties who process your customer data, i.e. a Client Management System?

As previously mentioned, if you’re an employer, your employee’s personal data is also subject to GDPR requirements so include this in your review.

encryption.In recent years there have been numerous incidents where personal data has been stolen, lost or subject to unauthorised access.

In many of these cases, these were caused by data being inadequately protected or the devices the data was stored on being left in inappropriate places - and in some cases both.

The ICO has formed the view that in future, where such losses occur and where encryption software has not been used to protect the data, regulatory action may be pursued.

Encryption protects information stored on mobile and static devices and in transmission - businesses should therefore consider encryption alongside other security measures.

An example of which is as follows:

A business issues laptops to advisers for remote working so as a result there is the risk of loss or theft of the devices.

Therefore the business Principal requires that all data stored on laptops is encrypted as this significantly reduces the chance of unlawful processing of the data in the event of loss or theft.

In February 2018, the FCA released a joint statement with the ICO and confirmed that as apart of their obligations under SYSC, firms should establish, maintain and improve appropriate technology and cyber resilience systems and controls -

https://www.fca.org.uk/news/statements/fca-and-ico-publish-joint-update-gdpr.

8

physical security.Physical security is another thing to consider - levels of physical security should be appropriate to prevent unauthorised access to personal data. It is important to assess the risk of unauthorised access to your premises or anywhere data is stored and ensure an appropriate level of security to protect personal data.

Below are some examples of measures a firm could implement to help mitigate risks:

Are your premises secure from a break in, i.e. secure locks and alarms?

Do you maintain a clear desk policy to reduce the risk of customer data being lost or stolen?

Do you keep your cabinets locked when not in use?

Do you lock your computer screen when not in use?

Do you raise staff awareness of the risks of poor physical security?

breaches.The GDPR introduces a duty on all businesses to report certain types of data breaches to the relevant authority - where possible, you must do this within 72 hours of becoming aware of the breach.

We suggest that you keep a record of any breaches, be aware of what information you need to provide and document a process for reporting them.

Ideally this responsibility would be allocated to a dedicated person.

Here’s where you can report a personal data breach to the ICO. This may include, for example, the loss of a USB stick, data being destroyed or sent to the wrong address, the theft of a laptop or hacking.

To report a breach you can call the ICO helpline on 0303 123 1113.

When you phone, they will ask you questions about:

What has happened;

When and how you found out about the breach;

The people that have been or may be affected by the breach;

What you are doing as a result of the breach; and

Who they should contact if they need more information and who else you have told.

Alternatively, you can use the security breach notification form.

9

data controllers and third party processors. Another thing we suggest you think about is how your firm’s business relationships may impact your business and the personal data you process.

Some questions to ask:Do you share personal data with and, third parties outside of your own business, i.e. IT suppliers, outsourced HR services, administrator services etc?

What assurances do you have in place now regarding how the third parties you have relationships with securely store and process the personal data you share with them?

Do you have a written contract with these external third parties that you can rely on? Does it need updating to reflect GDPR?

Don’t let your firm’s treatment of personal data put your customers or your business at risk - make sure that any third party data processor protects the personal data you ask them to process in the same way as you are required to.

individual rights. Under the GDPR, individuals have the right to:

Be informed - individuals should be entitled to a minimum set of information concerning the purposes for which their personal data will be processed.

Gain access to their information - individuals can request access to their personal data and GDPR puts obligations on controllers to comply with such requests, where applicable and to supply this data free of charge if the request is reasonable - this must be carried out within one month of receiving the request.

Rectification - individuals can request a controller rectify any errors in their personal data where applicable, and this must be carried out within one month of receiving the request.

Erasure - individuals can request the deletion or removal of personal data where there is no compelling reason for its continued processing.

Restrict processing - individuals can ‘‘block’’ or suppress processing of personal data.

Data portability - individuals can obtain and rescue their personal data for their own purposes across different services.

Object - individuals can object to:Processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling) Direct marketing (including profiling); and

Processing for purposes of scientific/historical research and statistics

Not to be subject to profiling evaluation - individuals should not be evaluated in any material sense, solely on the basis on automated processing of their personal data.

You need to ensure therefore that your procedures are adequate enough to enable data subjects to exercise their right to the above items.

Not to be subject to decision making - individuals have the right not to be subject to a decision when it is:

Based on automated processing or

It produces a legal effort or similarly legal effect on the individual

1

privacy impact assessments. Privacy Impact Assessments (PIAs) are an integral part of taking a ‘‘privacy by design’’ approach.

PIAs are a tool that you can use to identify and reduce the privacy risks of your projects. A PIA can reduce the risks of harm to individuals through the misuse of their personal information. It can also help you to design more efficient and effective processes for handling personal data.

You can integrate the core principles of the PIA process with your existing project and risk management policies. This will reduce the resources necessary to conduct the assessment and spreads awareness of privacy throughout your firm.

so in summary. . .Understand the content of this document

Be aware and be accountable

Train staff - ask TMA how they can support you with this

Carry out an audit - understand and challenge the data that you hold

ico practical guidance.Whilst we hope you found this guidance useful, please also find below plenty of additional reference material available from the ICO:

12 steps to take now:https://ico.org.uk/media/for-organisations/documents/1624219/preparing-for-the-gdpr-12-steps.pdf

Overview of the GDPR:https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

Consent draft guidance including a consent checklist:https://ico.org.uk/media/about-the-ico/consultations/2013551/draft-gdpr-consent-guidance-for-consultation-201703.pdf

Video - GDPR message for the boardroom:https://www.youtube.com/watch?v=eFNRgX049cw

Video - introduction to the GDPR:https://www.youtube.com/watch?v=qE_aIY-_QkA&index=4&list=PLaprDSeyZ5_6ERGEy4zP2QbCB-fjL0RRV

Self-assessment:https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/getting-ready-for-the-gdpr/

GDPR home website:https://www.eugdpr.org/eugdpr.org.html

Review your documentation

Update your Customer Privacy Notice

Update and review your processes, at least annually

Continue to raise awareness

Maintain compliance with the GDPR

2

customer privacy notice and e-marketing customer consent templates.TMA now have a Customer Privacy Notice and E-Marketing Customer Consent template available that meets GDPR standards, which has been added to the existing document library. At £50 + VAT, our Document Library already provides a wealth of guidance material for your business and includes items such as:

Financial Crime Policy and Procedures

Data Security Guidelines

Template Suitability Letters

Template Disclosure Documents and;

Complaint Handling procedure with supporting documentation

If this is of interest, please let us know - [email protected].

cpd - online tests.TMA also have online tests available to help you and your staff understand the GDPR requirements - access can be provided that will help you and your staff comply with the Training and Competence sourcebook rules. Multiple topics are covered such as Complaint Handling, Treating Customers Fairly, Conduct Risk, Fraud and of course the GDPR.

£50 + VAT per license per year.

You can now also record your CPD on the new refreshed test platform.

If this is of interest, please let us know - [email protected].

0330 303 0236

To find out how TMA can support your compliance needs, give us a call on: