Last updated: 10 May 2017
In response to the Depcrtment for Culture, Media and Sport consultation on GDPR, we urge that the DCMS put legislative derogations in place to enable...More details
The Department for Culture, Media and Sport have published a consultation calling for views on the derogations (exemptions) contained within the General Data Protection Regulation...More details
In April 2016, the General Data Protection Regulation (GDPR), which repeals and updates the EU Data Protection Directive (95/46/EC), was formally agreed. It is directly applicable legislation and will automatically become part of UK law from 25 May 2018.
Some of the key changes are:
- Increased Territorial Scope and penalties: The GDPR applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location. The penalties for breaching the Regulation can be up to 4% of annual global turnover or €20 Million (whichever is greater). These apply to both controllers and processors.
- Consent: seeking consent for use of the data must be presented in a clear, accessible way, free of legalese. It must be as easy to withdraw consent, as to give it.
- Breach notification: Data breaches which may pose a risk to individuals must be notified to the Data Protection Authority (in the UK, this is the Information Commissioner’s Office or ICO) within 72 hours and to affected individuals ‘without undue delay’.
- Right to Access: there is a right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose.
- Right to be Forgotten: the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. A data controller must compare the subjects' rights to "the public interest in the availability of the data" when considering such requests.
- Data Portability: GDPR introduces data portability - the right for a data subject to receive the personal data concerning them, which they have previously provided in a 'commonly use and machine readable format' and have the right to transmit that data to another controller.
- Privacy by Design: privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. Article 23 calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing.
- Impact of Brexit: If firms process data about individuals in the context of selling goods or services to citizens in other EU countries then they need to comply with the GDPR, irrespective as to whether or not the UK retains the GDPR post-Brexit.
If a firm’s activities are limited to the UK, then the position (after the initial exit period) is much less clear. Westminster has indicated it will implement equivalent or alternative legal mechanisms.
We expect any such legislation will largely follow the GDPR, given the GDPR provides a clear baseline against which UK business can seek continued access to the EU digital market.
We have sought to ensure that the GDPR allows lenders to continue to be able to carry out appropriate profiling of their customers, which is essential to allow lenders to assess whether it is appropriate to lend to an individual.
Further clarity will be required as to what Westminster plans to implement once the UK has exited the EU. We expect any such legislation will largely follow the GDPR.
Why this is important for lenders
Lenders will have to implement the requirements of the GDPR by May 2018, as they act as controllers and processors of the personal data of their customers.
Practical issues may arise for lenders in relation to customers who wish to exercise their right to be forgotten, or wish to withdraw consent for use of their personal data, given that lenders need to be able to access information about the customer to assess their creditworthiness, for example.
CML has engaged in cross-trade association discussion and lobbying on the early versions of the General Data Protection Regulation (GDPR). We have participated in industry roundtables with the Information Commissioners Office (ICO) and Department for Culture, Media and Sport (DCMS) on issues affecting the financial services industry, in particular in relation to fraud. CML is a member of the Credit Industry Fraud Avoidance System (CIFAS) roundtable group discussing the implications of the GDPR for firms.
On 10 May 2017 we submitted our response to the Department for Culture, Media and Sport consultation on GDPR. We urged that the DCMS put legislative derogations in place to enable lenders to process data for the purposes of assessing creditworthiness and detecting financial crime.