TPP Guidelines

Data Privacy – GDPR

This version is:

Published 2 years ago 31 Mar 2021

Compliance with data privacy laws and GDPR requires a risk based approach tailored to the nature of personal data and the type of processing employed. The checklist below provides signposts to the relevant sources.

Other pages in this section

One of your most valuable asset is your customer’s personal data.

Compliance with data privacy laws and GDPR requires a risk based approach tailored to the nature of personal data and the type of processing employed. The checklist below provides signposts to the relevant sources. It is not provided as legal advice, so should not be relied upon as intrinsically compliant with applicable data protection laws.

Importantly, an organisation needs to evidence its compliance with data protection laws. Ensure the firm has clear policies and procedures in place to achieve compliance. These should be periodically reviewed and amended so that they meet the regulations and the requirements of the organisation.

It is imperative personal data it is handled with utmost care. Ensure that everyone within your organisation understands their role in protecting customer data. Controls should be implemented that ensure standards are met, with appropriate action taken for failure to comply.

GDPR is clear – an organisation must only hold personal data necessary and compliant with the purpose for which it was requested. When it is no longer necessary, organisations must have clear protocols in place to purge that data permanently from its access.

Finances have traditionally been a very private thing, and therefore needs to be treated with extra caution.

Recent research by the Financial Services Consumer Panel revealed the following:

“Among Non-TPP users in our research, most at best skim-read the terms and conditions of online services: 45% said they had not read them, a further 41% said they had only skim-read them. The main reasons why participants did not read the terms and conditions were: text too long (42%); not enough time to read them all (23%); or an assumption that an online service would comply with the law (31%). Over half of TPP user participants in the qualitative research said they did not read any terms and conditions for products and services that they had signed up for, including services that access their financial data. Many said that privacy policies were full of ‘legal jargon’ and not written with consumers in mind.” 

https://standards.openbanking.org.uk/wp-content/uploads/2022/04/final_position_paper_-_consenting_adults_-_20180419_0.pdf 

ICO Guidance

The ICO have published guidance on their expectations for ‘good compliance’, highlighting areas which have posed a challenge in the past. Organisations should periodically check the ICO website and seek their guidance for further clarity on a contentious issues. And always seek appropriate legal advice.

ICO Guide to Data Protection 

The Data Privacy Checklist

This checklist summarises the most important data privacy issues. Organisations need to demonstrate that compliance is fundamental to their culture.

Data Protection Policy

This is the overarching policy which explains, to your employees, what the organisation’s data privacy obligations are, and how they manage them.

A Data Breach Policy

Ask yourself:

Not every breach is reportable. When it is, understand what has to be investigated and what the reporting obligations and timescales are.

Data Retention & Deletion Policy

Understand other laws and regulations which may spell out different retention periods, and draft your policy accordingly.

Data Destruction Policy

Data must be disposed of securely. Ensure hardware is wiped clean of any personal data before disposing of old IT equipment.

Training and Awareness Policy

Training should be tailored to the context of the personal data being processed. Not everyone will need the same level of training.

Information Security Policy

In order to meet the confidentiality and integrity principle of data privacy laws, and to ensure that personal data is protected from unlawful and unauthorised access, it is prudent that the organisation has in place a clear Information Security Policy,  This Policy should also would be supported by an Information Security breach handling procedure which will provide clear guidance to staff on how to investigate a security breach as well as any regulatory reporting obligations.

Working from Home Policy

Personal data must be processed and stored with an appropriate level of security depending on the nature of the personal data. Ensure employees understand how to securely store data, not to take it off site and how to protect data when working remotely.

Rights for Data Subjects

The subject of data (e.g. an individual) has the following rights regarding their personal information:

Depending on the lawful basis relied upon for the processing of personal data, different rights are triggered such as:

It is important an organisation understands what rights are triggered when and have a clear and robust procedures in place to respond to any right requests.

Right to make a Subject Access Request (SAR)

The process for recognising a SAR and how to effectively respond: what needs to be provided, what exemptions if any should be applied?

Please read the ICO guidance: Right of access

Subject Access Request (SAR) Procedures

The process for recognising a SAR and how to effectively respond: what needs to be provided, what exemptions if any should be applied?

How do you Know it’s Working?

Evidence that your procedures are being implemented in practice includes:

Useful links

Institute and Faculty of Actuaries – A Guide for Ethical Data Science