Countdown to GDPR
This article was originally commissioned for Investment Life & Pensions Moneyfacts Magazine. Tom Murray looks at the importance of ensuring that life and pensions providers are ready to deal with the introduction of the General Data Protection Regulation (GDPR) in May 2018.
There is a “clock ticking” according to Michel Barnier, the chief negotiator for the EU in the Brexit talks. But even though Brexit is underway, it is not going to come quick enough to let UK firms escape from on-going regulation at the European level.
The introduction of the General Data Protection Regulation (GDPR) in May 2018 occurs before the UK leaves the European Union, and therefore will apply to all organisations in the UK. Whether it still applies ten months later, after the UK exits the EU, is not settled but every indication from the government indicates that this is the type of regulation that is likely to be carried across and put into UK law, and that thenceforward it will keep in step with any changes the EU might make.
This will probably happen, as in the future the ability to trade into the EU will likely depend on a company’s ability to provide the same level of consumer data protection that exists within the union. It is important to note that it is who the data is about, not where the data resides, that is the key point for the GDPR. So, any monitoring or collection of personal data in the UK from individuals who reside in the EU will fall under its ambit.
The rights of man
The GDPR heralds a dramatic increase in the rights of data subjects, i.e. consumers, to protect their own information held on them by any corporation. The obligation is on the data controller, in our case the life and pension provider, to ensure that the data captured on individuals is minimised and only used for the purposes that it is captured for. The right of the individual to check exactly what data is held is increased and the ability to charge for doing this is removed in most cases. Therefore, it behoves each company to ensure that they have a simple system for providing this information upon demand or they could face rapidly increasing costs as they struggle to meet the 1-month deadline imposed by the regulation for this activity.
The GDPR recognises that much useful information can be gathered from the data and often its usefulness does not relate to its personal nature. Anonymised and aggregated, it can be used to improve services and products to improve people’s lives. The point is that just because the data has been voluntarily given to a company by an individual doesn’t mean that the company are entitled to use it for any purpose other than that for which consent has been explicitly given by the customer.
The Information Commissioner’s Office released at the start of July its report on the Royal Free NHS Foundation Trust’s deal with Google’s DeepMind. Despite the fact that the ICO agreed that the results of the trial were positive and better patient outcomes could be expected as a result, it found that Royal Free’s sharing of patient’s personal data with DeepMind failed to comply with the Data Protection Act. The Trust had failed to get proper consent from the individuals involved, who could not reasonably have expected their data to be used in this way.
This left the Trust open to a fine of up to £500,000 under the Act. However, the ICO has decided not to fine the Trust but to ask it to sign an undertaking to establish a proper legal basis for the project and for any further trials. This incident shows the risks involved in using personal data other than for the purpose for which it was collected, even when the outcome is positive. If GDPR had been in effect, that potential fine could have been much higher. So, the risks are clear and the results, no matter how beneficial to the customer will never justify the breach.
Here today, gone tomorrow
The most extravagant new feature introduced in the regulation is the portability of the data. This means that any customer can come to the company and demand a copy of their information in machine-readable format in order to allow them to transfer it to another data controller. This is a major change and will require all companies to assess their current systems as well as all new systems to ensure that it is possible to copy out all personal information linked to an individual and supply it to them.
As existing systems were not designed with this in mind, it could be a major task for companies to bring themselves into line. Allied with this is an improvement in the so-called ‘right to be forgotten’ – the ability to withdraw one’s consent of having their data processed. It is also worth noting that storing data is regarded as ‘processing’ for these regulations.
Even the straightforward request for a copy of any information held about him or her has the potential to cause problems, as the company is no longer allowed to charge for the information. This removes a brake on applications, leading to a possibility of a large rush of requests causing a big drain on resources, particularly as the making of requests has no consequence for the individual.
The penalty for failure
If your organisation is gathering data from customers, and all life and pension companies are, then you will need to realise that the penalties for not securing the data or not treating it correctly are about to get a lot more severe. It has been raised to €20 million or 4% of the company’s global turnover, whichever is the greater. Note, that is turnover not profits. This is a huge fine, a steep increase from the £500,000 maximum that was previously applicable, and is not to be taken lightly by any organisation. The severity of the penalty shows the seriousness with which the whole issue of the protection of personal data is now being taken and it would be a strategic mistake for any life and pension company not to take the issue just as seriously.
Can’t run, can’t hide
Recent high-profile data breaches, such as the one by the ransomware WannaCry that crippled the NHS, show just how easily a company can end up in breach of the regulatory duty to protect the data it has on behalf of customers. Every company that deals with individuals should now be making the protection of that data a primary goal, not just reviewing the current position to ensure that they are compliant but also building the processes that will maintain compliance into the future.
Ensuring the security of the network is paramount, to prevent intruders getting access to the data. However, even using cloud-based system suppliers will not remove the onus from the life and pension provider to be compliant; it merely adds the supplier (or processer as they are known), into a joint liability situation. Ultimately, the life and pension company, as the controller of the data, will have to shoulder the burden of ensuring that the data is safe.
Show and tell
In today’s interconnected world, it isn’t possible to have an isolated network with no access to outsiders. As consumers are demanding ever more services be provided to them in real-time over the Internet, the possibility of breaches into networks grows ever more.
Therefore, what each company needs a set of procedures and documented results that show it is doing everything humanly possible to prevent such a security breach occurring. This extends into the design of systems and procedures in order to show that data protection was a key consideration in the design and development stage.
One of the primary protections for any company will be its ability to prove by demonstration that it is doing all it can to ensure the security of the personal information it holds. This is likely to lead to a large increase in the amount of documentation that will have to be stored for audit purposes. The more a company can show it is doing, the less it is likely to be fined in the event of a serious security breach.
Appointing a Data Protection Officer will be mandatory for life and pension companies, given the sensitivity of the data they generally hold. This official will report to the highest levels and will also have the responsibility for notifying the national data protection agency about any breaches within 72 hours of them occurring.
There are many more features and any company that isn’t currently making moves to sort out the issue is living in cloud-cuckoo land. But while the focus of many people remains on Brexit with, at this stage, its unknowable consequences, many life and pension companies are failing to focus on something that is likely to have a greater and more immediate impact on their business. The cost of compliance should not be underestimated and the time it will take to achieve it is also going to be significant.
The questions around GDPR are no longer whether one should get involved. There is no choice. This is set to become a major cost for businesses in the future. The question is whether the company can actively get ahead of the game by taking the issue seriously now, or whether it will be left playing catch-up when the issues involved become clear.
The clock is ticking
There may still be some who are hoping that the Brexit Bus will carry them out of the range of the GDPR. In practice, any company which hopes to do any business anywhere within the union or which wants to provide data services to any company in the union will need to be compliant. As this comprises a large section of the business community, the likelihood is that it will be simpler for the UK to keep in step with GDPR rather than trying to establish a different level of data protection. Thus, in the long run it is probably unavoidable for the vast majority of companies, and therefore they would need to start thinking strategically about it now.
As for whether all this time, effort and expense will actually leave the consumer better off, only time will tell. Certainly, they will pay ultimately pay more, as implementing the regulations will cost firms a significant amount of money, which can only be recouped from customers.
The stated aim is to give people the confidence to provide their data to companies and access services across the EU without feeling their personal information is at risk, particularly if it is being controlled or processed in another country. Whether such a lofty aim can be achieved by mere regulation is questionable; we must wait and see. In the meantime, from a company point of view and given the severity of the fines, full implementation of the GDPR is the only realistic option for any firm. Tick, tock, tick, tock.
Is your company ready for GDPR? What are your main obstacles?Let us know in the comment section below!