Jonathan Segal (pictured), partner at law firm Fox Williams, delves into the upcoming changes to data rules that peer-to-peer lenders should be aware of…
In this increasingly data driven world, personal data is becoming ever more valuable. But every valuable commodity must be treated with care and data is no exception.
In May 2018 the new General Data Protection Regulation (EU) 2016/679 (GDPR) is due to come into force, replacing the current Data Protection Act 1998, and, as an EU regulation, it will be directly applicable to all EU member states.
I know what you’re thinking: if it’s an EU regulation, then what about Brexit? Irrespective of when the UK will officially leave the EU as a result of Brexit, the GDPR will inevitably be very relevant to UK businesses, including firms regulated by the Financial Conduct Authority (FCA).
The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR, so companies should start preparing for GDPR’s impending arrival in May.
If you collect personal data, which as a peer-to-peer lender and/or a consumer credit provider you almost certainly will do, this impending regulation change should be high up on your agenda.
What are the most significant changes?
Here are some of the most significant changes to data protection law that we will be seeing:
Consent: Data subjects will have to “explicitly” give their consent to the processing of their personal data. This will require a clear affirmative act such as a written statement – silence or inactivity will not constitute valid consent. Instead, express consent (e.g. by ticking boxes when visiting websites or similar methods of authorisation) will need to be sought to ensure that the data subject is aware that he or she is consenting to the processing of personal data. The days of the pre-ticked box confirming consent will be over! When the processing has multiple purposes, such as for data analytics, marketing and consumer benefit the data subject should give their consent to each of the processing purposes separately.
Privacy by Design: The GDPR will impose an obligation on data controllers to assess privacy risks from the early stages of any project (privacy by design). Data controllers will be required to keep their personal data activities at a minimum in terms of volume of data collected and the amount of time it is stored. This will impact P2P lenders which often hold large amounts of data on individuals for lengthy time periods.
Profiling: This will be limited under the GDPR. Profiling refers to the automated processing of personal data (typically used to predict consumer behaviour). Data subjects will have a right not to be subject to a decision based solely on profiling. Profiling will only be allowed if, for example, it is either required by law, consented to by the data subject or necessary for the performance of a contract. This will be particularly relevant for consumer lending platforms that rely heavily on data-driven lending decisions.
Right to be forgotten: A new addition which has caught the headlines in recent months. Individuals will have the right to request that businesses delete their personal data in certain circumstances, for example, if the data is no longer necessary for the purpose for which they were collected or the data subject withdraws their consent. However it still remains unclear precisely how this will work in practice. For example, regulated financial services providers are under certain regulatory obligations to keep customer data for a certain period of time; how this will interplay with the ‘right to be forgotten’ will remain to be seen.
Data Portability: The GDPR will introduce the concept of “data portability”, that is the right of data subjects to obtain their personal data from data controllers in a structured and commonly used format so that it can be transferred to another data controller. Think of this as ‘U-Switch’ for your personal data. Again, this may be an interesting challenge for consumer credit platforms that create a large amount of data about their customers.
Penalties – The consequences of not complying with the GDPR will be harsh. Under the new regime undertakings risk being fined up to four per cent of their total worldwide annual turnover or €20,000,000 (whichever is higher) for breach of the more serious requirements under the regulation.
Some organisations are already required to notify the ICO (and possibly some other bodies such as the FCA) when they suffer a personal data breach. The GDPR introduces a duty on all organisations to report certain types of data breach to the ICO, and in some cases, to individuals. You only have to notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals. If such a breach occurs you will have to notify the ICO (and FCA if applicable) without undue delay and, where feasible, within 72 hours of becoming aware of such breach. A well-developed data security policy incorporating an incident response plan is therefore highly recommended.
Will I need to designate a data protection officer?
Given the potentially onerous obligations created by the GDPR, the further new requirement for certain data controllers and processors to designate a data protection officer within their organisation comes as no surprise. Appointing a data protection officer would in any event be the most sensible course of action for large organisations and firms that process large volumes of data. However, this requirement may also affect smaller companies that process large volumes of data and come as a significant additional cost to such businesses.
If you do require a data protection officer then it is most important that someone in your organisation, or an external data protection advisor, takes proper responsibility for your data protection compliance and has the knowledge, support and authority to carry out their role effectively.
Companies that routinely process data as part of their day to day activities should really start to think now about how best to ensure that they have systems, procedures and personnel in place to comply with the new regulation once it comes “live” in May 2018. This is especially so given the potentially adverse financial (and reputational) consequences that breaching the GDPR could lead to.