Exponential growth in the internet, the paperless office, remote working and the use of cloud computing services have revolutionised the way in which individuals and businesses interact and data is processed.
The pace of change has outstripped current data protection law – but on 25 May next year EU-driven GDPR (General Data Protection Regulation), will seek to redress the balance by addressing the risks posed to privacy and personal data by computing and the internet.
It will also attempt to rectify the general ignorance about the cyber exposures businesses face in today’s commercial environment, including misconceptions regarding the perceived cost of effective cyber security.
GDPR will affect every organisation that collects personal data, irrespective of size, sector or purpose and will introduce new concepts and rights which will have a significant impact on how you handle and use personal data.
Its introduction is great news for consumers, removing ambiguity, making them better informed and giving them significantly more control over how their data is used. But ensuring that the new data protection rules are met alongside other regulatory obligations will, as ever, present an ongoing challenge for many firms.
The GDPR clarifies and increases the responsibility of organisations for the personal data they handle and store. It also introduces mandatory breach reporting and tougher penalties for those who do not comply with data protection legislation.
GDPR applies to a paper-based system just as much as your front and back office solutions. Failure to understand these challenges, to modify internal procedures and to capture the essential data post-May 2018 will considerably hamper your ability to function and expose you to unnecessary risk.
It also introduces a duty on all organisations to report certain types of data breach to the relevant supervisory authority, and in some cases to the individuals affected. Breaches are defined as: a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.
Under existing UK legislation, there is no obligation to report data breaches to the ICO. However, GDPR will stipulate that where feasible this must be done within 72 hours of the breach unless it can be demonstrated that it is unlikely to result in a risk to the data subject (who must be informed promptly if the breach is likely to result in a higher risk to their rights and freedoms).
Other key changes include a ‘right to be forgotten’, which stipulates that where there are no legitimate reasons to hold on to personal data and the data subject no longer wants their information to be held, it must be deleted. GDPR mandates that personal data should be kept in an identifiable format for no longer than necessary. After that period it should be securely wiped, or anonymised if firms wish to retain it. So you will need to have processes in place to determine how such requests are handled.
And a new portability clause will make it easier for customers to transfer their data between service providers - provided it has been generated by themselves - which could simplify and accelerate things like mortgage affordability checks.
Many software solutions are capable of mitigating the risks, but this doesn’t absolve you from responsibility. Consequently, intermediaries need to understand the challenges presented by the GDPR and begin to make appropriate plans.
I highly recommend reviewing the ‘12 steps to take now’ guide to GDPR issued by the Information Commissioner’s Office, which illustrates how the changes need to be embedded into your organisation and the need to increase the transparency and accountability of the data you hold and process.
Vishal Pandya, Operations Manager, Society of Mortgage Professionals