Click here for PDF
GDPR, what is it?
Data protection has become more important than ever before with the implementation in the UK from 25 May 2018 of the General Data Protection Regulation (GDPR). The government has confirmed that the UK’s decision to leave the EU will not affect the continuing effect of the GDPR in this country.
Where you are introducing individuals to a finance provider, you will need to collect, control, process and share personal data about the individual. As such you will be caught by the provisions of the GDPR.
This briefing is intended to reiterate for you the new obligations you therefore have under the GDPR so that you can check that you are acting compliantly. Since implementation,, I am still seeing some parts of the asset finance industry not quite there yet in embedding all the requirements. Whilst this briefing note does not cover everything you should be doing, it highlights areas that I consider are worth pointing out to readers.
What you should do
All organisations who process personal data are responsible for complying with the GDPR. Compliance with the GDPR is likely to have required organisation-wide changes for you to ensure that personal data is processed in compliance with the GDPR’s requirements. If you have not experienced such changes then it is likely that you would have missed something. You should have good policies, procedures and processes in place on how to comply with data protection.
There should also be a formal contract in place between lenders and brokers, which address the sharing of data between you both. You should also both have privacy notices drafted that you can give to your customers detailing what you are doing with their personal data and why you are collecting it. Both the lender’s notice and the brokers notice will be different so you will need to build in working processes to deal with this so that the Custome receives both notices before either or you do anything with their data.
Here in this briefing note we talk about some of the main areas which you should have looked at by now as a business to ensure compliance with the GDPR.
The new Principal of Accountability
The new ‘Principle of Accountability’ under the GDPR requires that you not only comply with the principles of data protection but that you are also able to actively demonstrate such compliance if asked to do so.
The Information Commissioners Office (ICO) is the body responsible in the UK for ensuring compliance with data protection legislation and regulation. However it will work with other regulatory bodies, such as the Financial Conduct Authority (FCA), to ensure such compliance where necessary.
You must keep records to demonstrate your compliance with the GDPR. For example (note this is not an exhaustive list):
- you will need to identify and record the purpose and legal basis specified in GDPR upon which you rely to process personal data;
- you will need to keep records of how you capture and record personal data;
- you will need to keep the personal data secure;
- if you discover any errors or inaccuracies with the personal data, you must correct these, and make a record of the fact that you have made the correction, and
- if you know that you have passed inaccurate information to a third party (for example, a finance provider) you must inform them so that they can correct their records – and, again, you should record what you have done.
What data is covered by GDPR?
Personal data is covered by the GDPR, The GDPR defines personal data as:
“any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Personal Data includes:
- Personal details;
- Family and lifestyle details;
- Education and training;
- Medical details;
- Employment details;
- Financial details;
- Contractual details (for example, goods and services provided to a data subject);
- Genetic, biometric and health data;
- Online identifiers (IP addresses, cookies)
What is difference between Processor and Controller and what are their responsibilities?
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Once a finance agreement is in place, if an individual has queries about it or about the way in which their personal data is being handled, in most cases these will be addressed to the finance provider because they will usually be the controller for this personal data. In some circumstances, however, individuals may contact their broker directly as they may feel more comfortable raising the issue with the broker.. In addition in some cases the broker may be the relevant data controller rather than the finance provider. There may also be some circumstances where a third party, such as a retailer or dealer is the data controller, for example where they are exercising significant discretion over who to share the individual’s personal data with, what data is provided and how it is provided and asking for other parties to carry out processing tasks.
What are the rights of individuals?
Individuals have certain rights under the GDPR including the right to:
- Information (this is the right to receive certain information on their request about the way their personal data is being collected and processed);
- Access their own personal data (including receiving a copy of any such data held on request);
- Correct personal data (to correct inaccurate personal data held by the data controller and to complete incomplete personal data held by the data controller);
- Erase personal data, also known as the right to be forgotten (data subjects have the right to request the erasure of the personal data in certain circumstances such as they are withdrawing their consent to its use)
- Restrict data processing (in certain circumstances such as the data subject contests the accuracy of such data).
- Object to data processing (for example for marketing purposes);
- Receive the transfer of their personal data to another data controller (known as data portability).
- Not be subject to automated decision-making (including profiling)
- Be notified of a data security breach (when a personal data breach is likely to result in a high risk to a data subject’s rights, a data controller must notify the data subject of the security breach without undue delay).
Individuals can also request from you confirmation as to:
- The purposes of the processing of their personal data;
- The categories of personal data concerned;
- The recipients or categories of recipient to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organisations;
- Where possible, the envisaged period for which the personal data will be stored or, if not possible, the criteria used to determine that period;
- The right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- The right to lodge a complaint with a supervisory authority;
- Where the personal data is not collected from the data subject, any available information as to its source;
- The existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
The GDPR requires a very high standard of consent. You must be able to demonstrate when you are dealing with an individual’s personal data that the individual owner of that personal data gave their informed, unambiguous and proactive consent to the processing and you will bear the burden of evidencing that you collected the consent in a valid manner.
You should carefully review your existing practices to ensure that any consent obtained from an individual as to the control and processing of their personal data indicates affirmative agreement from them and that you can demonstrate that this is the case. The use of opt-in (for example, ticking a blank box) rather than opt-out (i.e. pre-ticked) boxes is vital. Mere acquiescence (for example, failing to un-tick a pre-ticked box) does not constitute valid consent under the GDPR. You must also consider how you will discharge the evidential burden of demonstrating that consent has been obtained.
The individual shall also have the right to withdraw their consent at any time, known as the right to be forgotten. You must ensure that an individual can withdraw their consent at any time. It must be as easy to withdraw consent as to give it. You should liaise with your funders or other brokers to ensure that procedures in place to effect this successfully.
Instead of registering with the ICO, the GDPR requires you to maintain detailed documentation recording your processing activities and the GDPR specifies the information this record must contain.
Strict data breach notification rules
The GDPR requires you to notify the ICO of all data breaches without undue delay and where feasible within 72 hours unless the data breach is unlikely to result in a risk to the individuals. If this is not possible you will have to justify the delay to the ICO by way of a “reasoned justification”. If the breach is likely to result in high risk to the individuals, the GDPR, requires you to inform data subjects “without undue delay”, unless an exception applies. You must make sure you have effective procedures in place to comply with these time limits.
The right to erasure (“right be forgotten”)
The customer has a right to ask you to delete their personal data completely. You should consider how you will give effect to the right to erasure (right to be forgotten) as deletion of personal data is not always straightforward.
The right to data portability
Data subjects have a new right to obtain a copy of their personal data from you (if you are the controller) in a commonly used and machine-readable format, They also have the right to require you to transmit their data to another controller (for example, an online service provider) in a commonly used and machine-readable format. In exercising their right, the data subject can request the information be transmitted directly from one controller to another, where technically feasible. You should consider how you will give effect to these rights and create template documents.
Data subject access requests
You must reply within one month from the date of receipt of the request and provide more information than was required previously. You should plan how you will respond to an individual’s data subject access request within the new time scale and how you will provide the information required. The execution of a contract or the provision of a service cannot be conditional on consent to processing or use of data that is not necessary for the execution of the contract or the provision of the service.
Under the GDPR you must issue individuals with a ‘privacy notice’ as soon as possible in your relationship with them detailing a number of factors including what personal data you will be collecting from them, what you will do with it, who you will share it with and how long you will retain it. The GDPR prescribes what sort of information these privacy notices should provide. Where you have collected personal data directly from an individual, all privacy notices should contain the information below as prescribed by the GDPR:
- the identity and contact information of the organisation collecting the personal data;
- details of any data protection officer where relevant (and if no data protection officer is required, details of any other individual responsible for data protection);
- the purpose and legal basis for processing the personal data (i.e. why are you processing the personal data);
- if you are relying on “legitimate interests” as a legal basis for processing the personal data, details of what these are;
- the recipients, or categories of recipients, of the information;
- details of any transfers of the information to another country outside of the European Economic Area;
- the period for how long the personal data will be retained (including stored);
- the individual’s rights in relation to the personal data under the GDPR;
- if you are relying on “consent” as a legal basis to process the personal data, where this is the case, and how consent can be withdrawn;
- the right to lodge a complaint with the regulator (in the UK, ICO);
- what personal data must be provided as part of a statutory or contractual requirement and what happens if that information is not provided; and
- if the personal data will be profiled or automatically processed, details of when this is the case.
There are also requirements for where the personal data has not been collected directly from the individual. You must therefore ensure you familiarise yourself with these provisions to ensure all privacy notices, regardless of the source of the personal data, are compliant.
It is not necessary to provide the information in a single comprehensive document. The ICO accepts that a layered approach may be used. This means that short notices can be given containing the key privacy information but which have additional layers of (or links to) more detailed information if the individual wishes to know more. For example, if online, the key information could explain why the individual’s data is being passed to finance providers and how it will be used, with links then provided which take the individual through to the lender’s websites where the full privacy information can be read (and, where appropriate, with a link to your own website). It should be remembered that some individuals may not have access to, or be able to use, digital sources. You should therefore ensure that such individuals are able to access the privacy information by alternative means, for example by telephone or verbally or by post. In some cases lenders may ask you to have copies of certain information available, should a customer need a paper copy, for example the Credit Reference Agency Information Notice (CRAIN).
While the GDPR does permit privacy notices to refer to ‘categories’ of recipients of the individual’s personal data, rather than necessarily naming the actual recipients of it, this possibility has to be considered alongside the overall requirement that information be handled fairly and transparently. The ICO has indicated that their view is that the most practical solution is for a broker presenting an individual with their privacy notice is to explain within that notice why the individual’s personal data is being passed to lenders and directing the individual to the actual lender’s website or lenders’ websites to which the broker will be passing their personal data. The individual can then read the lender’s own Privacy Notice which will provide the individual with full information as to what they will be doing with that individual’s data. The inclusion of links to lenders’ websites is however still not mandatory and it is for the broker to consider the most appropriate approach for your organisation and your customers.
The Locke Lord team are supporting clients through GDPR compliance to include building adequate processes and procedures within the lenders and brokers/intermediary online customer journey. For further information please contact Joanne Davis at email@example.com or Rachael Browning at firstname.lastname@example.org.