The biggest change to data protection law in 20 years is imminent. After 6 years of debate, amendment, dissection and transition the General Data Protection Regulation (GDPR) will finally become law on May 25 2018.
The GDPR is designed to harmonise the many different data protection laws across EU member states and give data subjects more control over their personal information and how it is used. In the UK, if you or your organisation collects, processes or stores personal information you must comply with the Data Protection Act (DPA) 1998, on the 25th of May the GDPR will replace the DPA.
For individuals, the net effect of the GDPR is intended to be greater privacy and control, as well as the enshrinement of new digital rights. For organisations managing personal data the regulation should act as a catalyst for business process improvement. The scope of the GDPR also extends to organisations outside the EU if they collect or process the personal data of individuals located in the EU.
For those who were already highly compliant with the DPA the step up to GDPR readiness should not be a taxing one. Those organisations who have had data protection and information privacy further down their list of priorities may well wish to reflect on the accompanying regime of penalties. The current maximum fine of £500,000 under the DPA will be replaced by fines of up to €20 million or 4 per cent of turnover (whichever is greater) for the most serious of violations.
What is the IFoA doing to become GDPR compliant?
The IFoA has always maintained a high level of compliance with the DPA and has had a dedicated Data Protection Officer on staff for many years. We have undertaken a comprehensive review of all our policies, processes and procedures and those of our suppliers in order to prepare for the GDPR. We are receiving ongoing external expert legal advice and have used the services of external auditors to assess our readiness. All our staff receive data protection training, and we’ll be refreshing this to incorporate the changes arising from the GDPR in the first half of 2018.
As part of this ongoing work you will start to see changes to some of our policies and procedures that help to support our relationship with our members. We will be updating our policies relating to use of our website and related systems. We’ll also shortly be contacting members to ensure that the information we are sending them is relevant, and making it clearer how to opt out of that information where it’s possible to do so. For members who are also volunteers and may handle personal information on behalf of the IFoA we will provide extra support in the form of additional guidance
Is there any dedicated guidance for actuaries?
What else is happening in this area that we should be monitoring?
Separately, the UK Government is steering a Data Protection Bill through parliament. The Bill supplements the General Data Protection Regulation and makes enhanced provision for areas outside its scope. You can read more about the bill via the ICO here.
Where can I find more information?
The Information Commissioners Office (ICO) is responsible for upholding information rights in the UK. The ICO website has a 12 step guide to preparing for the GDPR as well as comprehensive guidance on the practical application of the regulation.