General Data Protection Regulation (GDPR) – what is it?
Last month, we informed you that we would be sharing some important information on GDPR (General Data Protection Regulation) and how it will affect everyone that deals with customer data, particularly those within the financial services industry.
What is GDPR?
The General Data Protection Regulation (GDPR) is an EU regulation that will replace the existing Data Protection Act (DPA) with effect from 25 May 2018.
This is an EU-wide regulation with world-wide reach. Therefore, if you process an EU citizen’s data, all companies and individuals will need to comply with GDPR. Whilst it may appear similar to DPA, GDPR provides greater levels of protection and control to data subjects. As a result, GDPR will be more onerous than the current DPA requirements.
The GDPR will apply to the processing of personal data by a Controller or Processor in the context of the activities of their establishment in the EU, regardless of where the processing formally takes place.
It’s worth noting that despite the result of the UK EU referendum (Brexit), this doesn’t alter the need to comply with GDPR as it still remains a legal requirement.
Who is affected?
The GDPR will apply to the processing of personal data by a Controller or Processor in the context of activities of their establishment in the EU, regardless of where the processing actually takes place.
What are the changes?
The key changes under GDPR are as follows:
- Criminal conviction data cannot be processed without a relevant derogation.
- The conditions for obtaining consent will alter under GDPR legislation. This means (1) a soft opt-in is no longer permitted (2) parental consent is required to process children’s data (3) indirectly acquired data must not be processed without consent or notification and (4) records of consent must be kept.
- The information to be provided at the point of data collection could change significantly.
- Privacy must be a constant part of any process design and privacy impact assessments must be carried out.
- More information must be disclosed in response to subject access requests and these are likely to increase in volume.
- Incident management controls must meet new breach notification requirements.
- Data subjects have new rights to request the erasure or rectification of data and to object to or restrict certain processing methods.
- The difference in responsibilities between Controller and Processor have been reduced and overall accountability increased.
- Maximum fines for breaches will increase massively and the Information Commissioners Office (ICO) now has rights to audit or to stop firms from processing data.
What happens if you don’t comply?
Under the new legislation, the financial sanctions for breaches or non-compliance of GDPR will rise from the current maximum fine of £500k to a maximum fine of either 2% or 4% of group global turnover depending on the type of breach.
Individuals may also pursue damages and bring claims directly against businesses based inside and outside of the European Economic Area (EEA).With this in mind, it will have a significant impact on the financial services industry.
We’ll keep you updated over the coming months, but if you do have any questions, please contact your Aviva sales manager.
In the meantime, if you’d like advice on general Data Governance best practice, please view our guide here.
Post a comment
Please Log in to post a comment.
Log in to save this page to your favourites.