Stepping Stone 08 Data protection and privacy
Introduction
Data privacy is a fundamental human right. (Article 12 of the Universal Declaration of Human Rights).
Legal requirements in respect of the processing of personal data are non-negotiable. Members are required to have in place arrangements to ensure compliance with their legal obligations and reduce risk.
Why is this so important now?
The COVID-19 pandemic saw a global change in work practices. Homes doubled up as workplaces and we have witnessed members working hard to respond to the challenges that this brought with it. In terms of data protection and privacy, the acceleration of remote working has increased IT vulnerability and compelled firms to take extra steps to protect personal data of customers and employees.
Actions for members
Your focus should be to ensure a baseline of compliance with the Data Protection Act 2018 (which tailored the UK General Data Protection Regulation, or the UK GDPR.
Members will already be working to ensure compliance with the Data Protection Act, however useful guidance is made available by the Information Commissioner’s Office (ICO) for data protection officers and others who have day-to-day responsibility for data protection.
This explains each of the data protection principles, rights and obligations. It summarises the key points you need to know, answers frequently asked questions, and contains practical checklists to help you comply.
Members can also refer to the BIBA Insurance Brokers’ Good Practice Guide for information regarding data protection and managing the associated risks.
Responding to breaches
The Data Protection Act requires data controllers/processors to be able to detect, investigate, risk-assess and record any breaches. They must then report them as appropriate.
The potential impacts of a data breach are significant; both for the data subject and for the firm that oversaw the breach. In addition to the range of early enforcement actions, the ICO has the ability to issue financial penalties of up to ten million Euros or 2% of your global turnover, not to mention the reputational damage, loss of business and disciplinary action that may arise. In the event of a personal data breach, the ICO details seven steps to follow in the first 72 hours. More useful however may be their guidance covering how to prepare for a breach, including the benefits of having a breach response plan.
Key KPIs to adopt
- Total number of substantiated complaints received concerning breaches of customer privacy, categorised by:
- complaints from regulatory bodies.
- complaints received from outside parties and substantiated by the firm;
- Total number of identified leaks, thefts, or losses of customer data.