Broker guide to GDPR - Aldermore

What you need to know

about

GDPR as a Financial Broker

Sponsored by

What you need to know about GDPR as a Financial Broker

LOCKE LORD

Dear Partner The regulatory and compliance environment is ever changing and the burden and requirements on financial services professionals continues to increase. I am sure you’ve heard of the General Data Protection Regulation (“GDPR”) which will change the way we all have to handle client data. Given the dramatic rise in the personal data held by companies, used to tailor and market their services and products to their customers, GDPR has been designed to reinforce an individual’s right to take control of their own data and ensure companies use it appropriately. As a broker and introducer of financial products, along with all other UK businesses who hold client data, your legal obligations and responsibilities on how you collect, record and administrate customers’ data is changing… and you need to be ready and prepared!

Carl D’Ammassa

Group Managing Director - Business Finance Aldermore Bank PLC

The implementation of GDPR is due to come into effect on 25th May 2018, therefore it’s critical you understand what this means for your business and the responsibilities you have in working with each of your funders. Ultimately, given the sensitivity and potential fines for non-compliance and data breaches, if you are unable to categorically state to your funding partners that you’re GDPR compliant… your trading relationships may be suspended! There is a lot of preparation needed, so don’t leave this until the last minute! Our guide aims to help you understand what you need to do by setting out the key points of the legislation, while outlining how you can start planning the areas you may need to consider alongside your funding partners. Thank you to the team at Locke Lord and Jo Davies for their help in producing this report.

Joanne Davies Head of Asset & Consumer Finance Locke Lord (UK) LLP

Carl D’Ammassa Group Managing Director - Business Finance Aldermore Bank PLC

Practical Wisdom. Trusted Advice. www.lockelord.com

Sponsored by


LOCKE LORD

GDPR, what is it and when is it coming? This briefing is intended to inform you of your new obligations under the General Data Protection Regulation (GDPR) so that you can protect yourselves, but more importantly, so that you can ensure that the rights of individuals under the GDPR legislation are given priority. Data protection has become more important than ever before with the pending implementation in the UK from 25 May 2018 of the General Data Protection Regulation (GDPR). The government has confirmed that the UK’s decision to leave the EU will not affect the implementation of the GDPR in this country. The GDPR is designed to reinforce an individual’s right to take control of their own data. It lays down rules relating to the protection of natural persons with regard to the processing of personal data and the rules relating to the free movement of personal data. Within this guide, you’ll find a number of useful hints to help you to assess the impact GDPR will have on your business.

What you should do now… plan! Compliance with the GDPR is likely to require organisation-wide changes for you to ensure that an individual’s (“data subject’s”) personal data is processed in compliance with the GDPR requirements. You need to be aware that these changes may require a significant amount of time to implement. Failure to do so could mean that you are left with new requirements to implement, without having set aside appropriate resources necessary to achieve compliance.

The new Principal of Accountability The new ‘Principle of Accountability’ under the GDPR requires that you not only comply with the principles of data protection but that you are also able to actively demonstrate such compliance if asked to do so. The Information Commissioners Office (ICO) is the body responsible in the UK for ensuring compliance with data protection legislation and regulation. However it will work with other regulatory bodies, such as the Financial Conduct Authority (FCA), to ensure such compliance where necessary.

HINT Talk with your senior management, partners and team to understand what preparations and projects are in place to ensure that you will be GDPR compliant by the 25th May 2018.

HINT If you are unable to print off, or locate your Data Operating Procedures and Processes, you will need to produce them so ensure that you take relevant actions now to rectify this.

You must keep therefore keep full records to demonstrate your compliance with the GDPR.


Sponsored by


LOCKE LORD

Tougher penalties for breaches The GDPR introduces a number of important changes including greater investigative and enforcement powers for the ICO including the power to levy significant fines. A person, who has suffered material or non-material damage as a result of an infringement of the GDPR has a right to receive compensation from the person responsible for the damage they have suffered. It is important to note that failure to comply with the GDPR can also result in damaging adverse publicity. Increasingly, any wrong step in the area of data protection commonly attracts intense media scrutiny, regardless of whether any law has in fact been infringed. This can cause significant damage to the reputation of the business concerned and any connected business. This may prevent funders from wanting to deal with the organisation in the future and they may withdraw from their relationship with you. Customers may also look elsewhere if you have a bad reputation within your market sector.

What data is covered by GDPR?

HINT Check what information you currently deal with and whether it could be considered to be personal data. Personal data will not only apply if you are dealing with consumers – it also applies to your business customers as well.

Personal data is covered by the GDPR, The GDPR defines personal data as:

“any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” Personal Data includes: • • • • • • • • •

HINT Have you got drawn up guidelines with your funding partners that sets out your responsibilities at each stage of the customers journey and when your role could change from processor to controller?

Personal details; Family and lifestyle details; Education and training; Medical details; Employment details; Financial details; Contractual details (for example, goods and services provided to a data subject) Genetic, biometric and health data; Online identifiers (IP addresses, cookies)

What is the difference between Processor and Controller and what are their responsibilities? “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.


Sponsored by


LOCKE LORD

“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. When you first meet with a customer and they use a broker to find finance, at that point the broker will be in control of the personal data and therefore will be considered to be a controller. Where the broker passes that personal data over to a funder, the funder becomes a processor of the personal data when considering whether to accept the customer for finance. At the point the funder has accepted the customer, the funder will become the controller of that personal data.

What are the rights of individuals? Individuals have certain rights under the GDPR including the right to: • • • • • • • • •

Information (this is the right to receive certain information on their request about the way their personal data is being collected and processed); Access their own personal data (including receiving a copy of any such data held on request); Correct personal data (to correct inaccurate personal data held by the data controller and to complete incomplete personal data held by the data controller); Erase personal data, also known as the right to be forgotten (data subjects have the right to request the erasure of the personal data in certain circumstances such as they are withdrawing their consent to its use) Restrict data processing (in certain circumstances such as the data subject contests the accuracy of such data). Object to data processing (for example for marketing purposes); Receive the transfer of their personal data to another data controller (known as data portability). Not be subject to automated decision-making (including profiling) Be notified of a data security breach (when a personal data breach is likely to result in a high risk to a data subject’s rights, a data controller must notify the data subject of the security breach without undue delay).

HINT Check your current documentation to assess if you correctly state how you use a customer’s personal data and if you can action the above requests e.g. the right to be forgotten.

Individuals can also request from you confirmation as to: • • • • • • • •

The purposes of the processing of their personal data; The categories of personal data concerned; The recipients or categories of recipient to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organisations; Where possible, the envisaged period for which the personal data will be stored or, if not possible, the criteria used to determine that period; The right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; The right to lodge a complaint with a supervisory authority; Where the personal data is not collected from the data subject, any available information as to its source; The existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.


Sponsored by


LOCKE LORD

Are there any changes to my responsibilities? Yes, there are a number of changes to your responsibilities, which you will now have to demonstrate.

1. Consent

HINT You should carefully review your existing practices to ensure that you obtain proper consents from your individual customers and that you can evidence that the customer has fully understood how you will be using their personal data. This means you should use methods to collect consent which require a proactive activity by the customer (for example, ticking a blank box to indicate their consent rather than allowing for a pre-ticked box). Failing to un-tick a pre-ticked box will not constitute valid consent under the GDPR.

The GDPR requires a very high standard of consent as we have set out above. You must be able to demonstrate when you are dealing with personal data that the individual owner of that personal data gave their informed, unambiguous and proactive consent to the processing and you will now bear the burden of proof that consent was validly obtained. The individual shall also have the right to withdraw their consent at any time, known as the right to be forgotten. The execution of a contract or the provision of a service cannot be conditional on consent to processing or use of data that is not necessary for the execution of the contract or the provision of the service. You must ensure that an individual can withdraw their consent at any time. It must be as easy for them to withdraw their consent as it is to give it. You should liaise with your funders or other brokers to ensure that procedures are in place to effect this successfully.

HINT

2.

Identify where you are handling personal data and keep documented evidence that you have considered the risk connected to the handling of this personal data and then put in place controls to address these risks. For example, use encrypted emails to pass personal data to your funder and limit the number of people within your business who can access such data.

The GDPR adopts a risk-based approach to compliance, under which you bear responsibility for assessing the degree of risk that your processing activities pose to individuals. You may be asked to prove that you have carried out such assessments and present evidence of this to the ICO.

3.

HINT Ensure your policy and procedure documents reflect the fact that you are aware of these requirements and that they are being complied with.

Risk based approach

Privacy by design and by default and privacy impact assessments

When you create new products, or attempt to implement existing products in a different way (i.e. offering them to a new audience) you are required to consider the personal data involved in the transaction from the outset and ensure that the new product effectively protects such personal data by its very design. For example, by only collecting relevant personal data that is needed to complete the task. There are also requirements for you to perform mandatory privacy impact assessments (PIAs) before carrying out any processing that uses new technologies that are likely to result in a high risk to data subjects.


Sponsored by


LOCKE LORD

Other things that you need to bear in mind 1. Registrations

HINT

Instead of registering with the ICO, the GDPR requires you to maintain detailed documentation recording your processing activities and specifies the information this record must contain.

Have you got records of the processing activities you carry out and the purpose you are doing this for? Do your records contain what the GDPR requires them to contain?

2.

HINT

Strict data breach notification rules

The GDPR requires you to notify the ICO of all data breaches without undue delay and where feasible within 72 hours of the breach unless the breach is unlikely to result in a risk to the individuals. If you cannot notify the ICO within this required period, you will have to justify the delay to them by way of a “reasoned justification”. If the breach is likely to result in high risk to the individuals, the GDPR, requires you to inform those individuals “without undue delay”, unless an exception set out in the GDPR applies.

3.

The right to erasure (“right be forgotten”)

The data subject has a right to ask you to delete their personal data completely.

4.

The right to data portability

Make sure you have effective procedures in place to comply with these time limits and for assessing and escalating breaches correctly.

HINT You should consider what systems your customers details are recorded on, how they have been shared (i.e. email) and whether you can delete all of their records if required (wiping personal data is not always straightforward!). In addition, you will need work with your funding partners, to ensure that they can do the same when the customer makes such a request.

HINT

Data subjects have a new right to obtain a copy of their personal data from you (if you are the controller) in a commonly used and machine-readable format, They also have the right to require you to transmit their data to another controller (for example, an online service provider) in a commonly used and machine-readable format. In exercising their right, the data subject can request the information be transmitted directly from one controller to another, where technically feasible. You should consider how you will give effect to these rights.

You should consider how you can pull off their information and the formats which you can share that information on to create a compliant template for the customer to receive.

5.

HINT

Data subject access requests

You must reply within one month from the date of receipt of the request and provide more information than was required previously.


You should plan and establish a process of how you will respond to an individual’s data subject access request within the new time scale and how you will provide the information required.

Sponsored by