IMPLICATIONS OF GDPR ROBERT BELL

Credit Services Association Director of Legal & Compliance INTRODUCTION Robert Bell: Law background Credit Services Association Director of Legal & Compliance Qualified tutor Author Level 2-6 Courses Credit Excellence Awards Auditing / Training / Support Clear up the 25 years experience on the meeting brief COMPLIANCE INSIGHTS GDPR

CONTENT 1 2 3 4 Requirements – background / overview Q&A We have a total of 1 hour 2 Changes brought by the Data Protection Bill 3 What to do if you are not fully compliant 4 DPIA COMPLIANCE INSIGHTS GDPR

GDPR - OVERVIEW Reasons for processing BACKGROUND / MAJOR CHANGES Reasons for processing data: Consent Contractual / legal Vital interests / Public Int. Legitimate Interests New rules around obtaining consent: Positive action, freely given, unambiguous Informed Right to remove consent Information which must be included in Privacy Notices Internal rules: Supplier management Privacy by design DPIA DPO? Breach notification requirements and increased penalties Other rights: Access / object Rectification / restriction Right to be forgotten AP/DM Portability COMPLIANCE INSIGHTS GDPR

Is now the Data Protection Act 2018! DATA PROTECTION BILL Is now the Data Protection Act 2018! Does not replace GDPR but addresses flexibility allowed by GPDR Does not ensure data protection post-Brexit Transposes the EU Data Protection Directive 2016/680 (Law Enforcement Directive) Elements impacting financial services…. COMPLIANCE INSIGHTS GDPR

Lawful basis under Article 6, plus DATA PROTECTION ACT GDPR Art. 9 requires conditions to be met to process special category data: Lawful basis under Article 6, plus Separate category for processing special category data under Article 9 such as explicit consent, required by law, vital interests where they are unable to give consent, assessment of working capacity, public interest, etc. The special categories are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. COMPLIANCE INSIGHTS GDPR

DPA expands the potential for processing such data: DATA PROTECTION ACT DPA expands the potential for processing such data: special category data can be processed for employment where an appropriate policy is in place or it is used for ensuring equal opportunity / treatment special category data can be processed in order to prevent fraud, terrorism (including funding) or money laundering Special category data can be processed for an insurance reason The special categories are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. COMPLIANCE INSIGHTS GDPR

DATA PROTECTION ACT GDPR Art. 10 requires conditions to be met to process criminal convictions data Article 10 requires that the processing of criminal convictions data is prohibited unless it is carried out under the control of official authority or if it is authorised by UK law. Member States may authorise the processing of criminal convictions personal data in specific circumstances and subject to appropriate safeguards The special categories are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. COMPLIANCE INSIGHTS GDPR

To protect vital interests DATA PROTECTION ACT DPA expands the circumstances in which criminal convictions data may be processed, including: Consent To protect vital interests Necessary for making / defending legal claim For insurance purposes Required under employment law and you have an appropriate policy in place Where it is required for an occupational pension The special categories are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. COMPLIANCE INSIGHTS GDPR

Required under employment law: DATA PROTECTION ACT Required under employment law: Opens criminal record checks where they are required by law, such as working with vulnerable people Opens to situations where required for regulatory compliance, such as the Senior Managers Regime However, it does not say we can routinely assume consent for all employees (unless they consent) COMPLIANCE INSIGHTS GDPR

DATA PROTECTION ACT An appropriate policy should: explain how the controller complies with the data protection principles set out in Article 5 of the GDPR; explain the controller’s policies for the retention and erasure of personal data processed under the relevant condition; and be retained, reviewed and (if appropriate) updated by the controller and (if requested) made available to the Information Commissioner, for six months Where appropriate policy documentation is required, the controller’s records of processing activities (under Article 30 of the GDPR) must include:  details of the relevant condition relied on;  how processing satisfies Article 6 of the GDPR (lawfulness of processing); and  details of whether the personal data is retained and erased in accordance with the appropriate policy documentation (and if not the reasons why not). COMPLIANCE INSIGHTS GDPR

WHAT TO DO IF YOU ARE NOT COMPLIANT 1 ICO is not expecting to enforce full compliance from day one 2 Willing to accept a risk mitigation plan / action plan Ensure you understand the new rules – there have been many misconceptions 3 4 Prioritise actions COMPLIANCE INSIGHTS GDPR

GDPR - MISCONCEPTIONS 1 2 3 4 Extent of consent 4th only those which pose a risk to the rights and freedoms of data subjects, not all breaches. For example, where encrypted data was sent to the wrong person, there is no need to report this as there is no risk to the data subject. Remember its not only data breaches but also incorrect destruction of data where this poses a risk to a persons rights and freedoms. 2 Recording data in relation to vital interests 3 Right to be forgotten 4 All breaches must be reported to the ICO COMPLIANCE INSIGHTS GDPR

IMPORTANT ACTIONS Gap-analysis feeding a detailed action plan with WHAT PEERS ARE DOING Consent for new data in relation to marketing and special category data. Consider need to re-obtain consent from current database Gap-analysis feeding a detailed action plan with priority given to: Communication with DS Major IS gaps Team awareness Privacy notices: Update Art. 12-14 List of processors? Options for “sending” to customers Internal rules: Processes for each right Breach notification Data retention Info security, etc. Processor contracts DPIAs: Stage 1 Record decision Stage 2 Obtain ICO consent COMPLIANCE INSIGHTS GDPR

SUMMARY Q&A COMPLIANCE INSIGHTS GDPR

CONTACT US Any questions/queries, please get in touch… 07849 774 401 robert.bell@rbcompliance.co.uk COMPLIANCE INSIGHTS GDPR