Moderator: Glen Ward – Nationwide Building Society
Expert: Alan Baker – Farrer & Co
- GDPR will take effect on 25 May 2018 - just 7 months away.
- Scope: applies to the use of all personal data by Data Controllers and extends this accountability to Data Processors.
- The conversation in the room largely centred on the area of consent and how this would impact the customer experience. Consent is one way to ensure “fair and lawful processing” of customer personal data under the GDPR. Where consent needs to be given it must be by an affirmative action and must be an ‘unambiguous’ indication of a person’s wishes (as well as being specific, informed, and freely given). In view of this, firms should consider the validity of existing consents and whether a refresh is required.
- Further, gaining consent is not just a tick in the box supported by a general statement that, for example, “we will use your data for marketing purposes”, even if this is provided with a generic description e.g. other financial services in the case of a financial services provider. An insurance company example was discussed with a suggestion that the consent would require specific description such as other insurances (house insurance, motor), and investments, etc. This goes to the consent having to be "specific" under the GDPR (as above).
- Firms relying on ‘legitimate interest’ as the basis for marketing or processing a client’s personal data must clearly articulate the rationale and provide relevant communication to customers (in the form of a 'privacy notice' or 'privacy policy' which is compliant with GDPR). Judgement is required when adopting a legitimate interest approach – and it is advisable for firms to carry out a documented balancing exercise of their own legitimate interests (i.e. commercial business interests) weighed against the rights, interests and freedoms of the individuals in question. One indication of fairness in this balancing exercise is whether there is a genuine value exchange or whether the additional services were directly relevant.
- Personal data processing was described as the person effectively “lending” you their data for specific purposes and potentially for a limited amount of time, but not for any other purpose (unless the firm has a valid legal basis for further processing the data for another purpose).
- Another consideration is the PEC Regulations (and potentially more onerous ePrivacy Regulation, currently in draft but due to take effect some time in 2018) when engagement is via digital channels. Direct marketing by electronic means is considered more intrusive than direct mail and consequently has higher regulatory standards and consent requirements.
- The GDPR also brings with it tougher penalties for non-compliance with maximum penalties of 20 million euros or 4% of total worldwide annual turnover, if that is higher. This gave rise to a good discussion on the implications of contracting with third parties and the practicalities of the indemnity clause where a large data controller contracts with a smaller data processor, as an example.
- In summary, there was lively and active participation in a subject that is clearly getting a great deal of attention across many sectors that use personal data for ongoing engagement (from financial services to the charity sector).