Data Privacy – GDPR

One of your most valuable asset is your customer’s personal data.

Compliance with data privacy laws and GDPR requires a risk based approach tailored to the nature of personal data and the type of processing employed. The checklist below provides signposts to the relevant sources. It is not provided as legal advice, so should not be relied upon as intrinsically compliant with applicable data protection laws.

Importantly, an organisation needs to evidence its compliance with data protection laws. Ensure the firm has clear policies and procedures in place to achieve compliance. These should be periodically reviewed and amended so that they meet the regulations and the requirements of the organisation.

It is imperative personal data it is handled with utmost care. Ensure that everyone within your organisation understands their role in protecting customer data. Controls should be implemented that ensure standards are met, with appropriate action taken for failure to comply.

GDPR is clear – an organisation must only hold personal data necessary and compliant with the purpose for which it was requested. When it is no longer necessary, organisations must have clear protocols in place to purge that data permanently from its access.

Finances have traditionally been a very private thing, and therefore needs to be treated with extra caution.

Recent research by the Financial Services Consumer Panel revealed the following:

“Among Non-TPP users in our research, most at best skim-read the terms and conditions of online services: 45% said they had not read them, a further 41% said they had only skim-read them. The main reasons why participants did not read the terms and conditions were: text too long (42%); not enough time to read them all (23%); or an assumption that an online service would comply with the law (31%). Over half of TPP user participants in the qualitative research said they did not read any terms and conditions for products and services that they had signed up for, including services that access their financial data. Many said that privacy policies were full of ‘legal jargon’ and not written with consumers in mind.” 

ICO Guidance

The ICO have published guidance on their expectations for ‘good compliance’, highlighting areas which have posed a challenge in the past. Organisations should periodically check the ICO website and seek their guidance for further clarity on a contentious issues. And always seek appropriate legal advice.

ICO Guide to Data Protection 

The Data Privacy Checklist

This checklist summarises the most important data privacy issues. Organisations need to demonstrate that compliance is fundamental to their culture.

  • Establish lawful bases for processing personal data.
    These must align with Article 6 and where applicable Article 9 of GDPR (Special Category Personal Data).
  • Have a clear and transparent Privacy Notice. Please read the ICO guidance: Privacy notice
  • Understand what privacy information should be provided. The ICO link provides guidance on what needs to be included in a Privacy Notice. Please read : Privacy notice checklist
  • Ensure you have the appropriate suite of data privacy policies and procedures.
  • Also, refer to Protecting Against Data Breach Section under Security.

    Data Protection Policy

    This is the overarching policy which explains, to your employees, what the organisation’s data privacy obligations are, and how they manage them.

    A Data Breach Policy

    Ask yourself:

    • What amounts to a breach?
    • Does the breach involve personal data (data which identifies directly or indirectly, a living individual)?
    • What rights and freedoms have been affected by the breach?
    • What are your reporting obligations as a consequence?

    Not every breach is reportable. When it is, understand what has to be investigated and what the reporting obligations and timescales are.

    Data Retention & Deletion Policy

    Understand other laws and regulations which may spell out different retention periods, and draft your policy accordingly.

    Data Destruction Policy

    Data must be disposed of securely. Ensure hardware is wiped clean of any personal data before disposing of old IT equipment.

    Training and Awareness Policy

    Training should be tailored to the context of the personal data being processed. Not everyone will need the same level of training.

    Information Security Policy

    In order to meet the confidentiality and integrity principle of data privacy laws, and to ensure that personal data is protected from unlawful and unauthorised access, it is prudent that the organisation has in place a clear Information Security Policy,  This Policy should also would be supported by an Information Security breach handling procedure which will provide clear guidance to staff on how to investigate a security breach as well as any regulatory reporting obligations.

    Working from Home Policy

    Personal data must be processed and stored with an appropriate level of security depending on the nature of the personal data. Ensure employees understand how to securely store data, not to take it off site and how to protect data when working remotely.

    Rights for Data Subjects

    The subject of data (e.g. an individual) has the following rights regarding their personal information:

    Depending on the lawful basis relied upon for the processing of personal data, different rights are triggered such as:

    ·         Right to object to processing

    ·         Right to restrict processing

    ·         Right to be forgotten

    It is important an organisation understands what rights are triggered when and have a clear and robust procedures in place to respond to any right requests.

    Right to make a Subject Access Request (SAR)

    The process for recognising a SAR and how to effectively respond: what needs to be provided, what exemptions if any should be applied?

    Please read the ICO guidance: Right of access

    Subject Access Request (SAR) Procedures

    The process for recognising a SAR and how to effectively respond: what needs to be provided, what exemptions if any should be applied?

    How do you Know it’s Working?

    Evidence that your procedures are being implemented in practice includes:

    • Deleting/redacting personal data.
    • Responding to a Subject Access Request.
    • Keeping a Subject Access Request log or central record of processing.
    • Managing and reporting a data breach to the ICO, and/or where applicable, customers.
    • Active Training and Awareness programme.


    Useful links

    Institute and Faculty of Actuaries – A Guide for Ethical Data Science