LM TOM Initiatives EU GDPR Readiness Statement
What is GDPR? The General Data Protection Regulation (GDPR) is an EU regulation that will replace the existing Data Protection Act 1998 (DPA) with effect from 25 May 2018...
Whilst it may appear similar to DPA, GDPR provides greater levels of protection and control to data subjects. As a result, GDPR will be more onerous than the current DPA requirements.
The GDPR will apply to the processing of personal data by a controller or processor in the context of the activities of their establishment in the EU, regardless of where the processing formally takes place.
It’s worth noting that despite the result of the UK EU referendum (Brexit), this doesn’t alter the need to comply with GDPR as it currently remains a legal requirement.
Who is affected?
The GDPR applies to ‘Controllers’ and ‘Processors’. A controller determines the purposes and means of processing personal data. A processor is responsible for processing personal data on behalf of a controller. The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
What are the changes?
The key changes under GDPR are as follows:
Criminal conviction data cannot be processed without a relevant derogation.
The conditions for obtaining consent will alter under GDPR legislation.
Privacy must be a constant part of any process design and privacy impact assessments must be carried out. Incident management controls must meet new breach notification requirements.
Data subjects have new rights to request the erasure or rectification of data and to object to or restrict certain processing methods.
The difference in responsibilities between Controller and Processor has been reduced and overall accountability increased.
Maximum fines for breaches will significantly increase and the Information Commissioner’s Office (ICO) will have enhanced rights to audit or to stop firms from processing data.
What do LM TOM initiatives do?
LM TOM initiatives (PPL, SDC, CRSP, DA SATS, Glossary, and TMEL) provide specific services and applications to allow market participants to process their business in a more efficient, consistent and streamlined manner in the London insurance market.
Market participant’s sign up for each service under relevant terms and conditions which details what, when and how the service will be used. Market participants own the underlying data they input into the services and applications and are responsible for ensuring any personal information submitted through the services and applications are done so in compliance with applicable data protection law.
Each LM TOM initiative is responsible for ensuring its services and applications provide users with appropriate privacy notices regarding their personal data to confirm why, how and where it will be used. The services and applications must also provide appropriate security to protect any personal data processed through them and follow required removal and destruction guidelines.
What has LM TOM been doing to ensure its business readiness for each initiative to meet GDPR compliance?
We engaged a small team of experts to review all LM TOM initiatives and carried out an impartial extensive assessment of each initiative.
The review covered all aspects of the GDPR and provided a clear understanding of the responsibilities and requirements of both controller and processors for fulfilling the services that each initiative provides to market participants.
Each initiative has undergone a Data Privacy Impact Assessment (DPIA) which identified readiness and remediation activities, taking account of the specific services, processes and supporting infrastructure provided by each initiative. The DPIA covered:
• Policies & Procedures
• Training & Awareness
• Data Management
• Information Security & Data Breach Incident Response Protocols
• Individual Rights
• Third Party Compliance Processes
• Ongoing Monitoring & Auditing
We engaged with Lloyd’s, London market associations, the Board of Placing Platform Limited & Structured Data Capture Limited and suppliers in the planning and implementation of changes required to address GDPR. As you will be aware, the GDPR requirements are designed to increase transparency, justification, and accountability, while simultaneously considering new technologies and best practices. We are committed to ensuring that all of our initiatives meet these requirements.
Where are we now?
The Boards, Senior Management & teams of all the initiatives are fully aware of the GDPR principles and the impact that these have on their business models.
Each initiative is implementing appropriate technical and organisational measures to ensure they can demonstrate that they will comply. These include:
o updating internal data protection policies, staff training, data reviews and audits of their processing activities using the DPIA tool; and.
o maintaining relevant documentation on processing activities. A Data Protection Officer for each entity is being appointed as best practice.
The principles of data protection by design and data protection by default are being embedded into the LM TOM Change Management guidelines. Where appropriate this will include data minimisation, pseudonymisation, transparency, monitoring of processing and improving security features on an ongoing basis as well as the use of DPIA
Data Privacy practices will be reviewed and monitored on a regular basis and updates will be provided to all relevant market service owner (PPL, SDC, Lloyd’s, LIMOSS
Policies & Procedures
All relevant Polices, standards and procedures are being updated to incorporate GDPR
Training & Awareness
New online training and awareness modules are being created by the Corporation of Lloyd’s and will be rolled out to all staff and initiatives from the end of April on a phased basis.
Mapping of personal data has been completed for all services and applications and classification of types of data documented and any sensitive data elements identified.
Privacy notices are being updated for each service based on the controller and processor responsibilities.
Documented processes and process flows are being created to show end to end processes
Data origins, lineage and flow of data including location and jurisdiction of where data is hosted has been documented.
Information Security & Data Breach Incident Response Protocols
Incident response processes are being updated to cover the additional requirements for personal data and the appropriate procedures are being written to handle changes in process for any personal data breaches.
Technology enhancements for each initiative are underway updating or creating privacy notices on all applications; these are all planned and are scheduled to be delivered for 25 May deadline.
LM TOM security statements have been published on the LM TOM website and various security topics relevant to the London market including GDR have been covered. Each initiative within LM TOM complies with them.
Procedures for all categories of individual’s rights are being incorporated into each Initiative’s processes and operating models. Note: not all individual rights will be applicable
There is no ‘automated decision making and profiling’ performed by any of the initiatives.
Lawful Basis for Processing and Consent
Full review in respect of Lawful Basis categorisation including special categories of personal data has been completed for each initiative and the agreed basis for collating, processing and storing of personal data is ‘Legitimate Interests”.
A Legitimate Interest Assessment (LIA) has been completed for each initiative.
Third Party Compliance Processes
A full review of all of LM TOM suppliers has been completed and prioritisation has been applied to all processors to ensure each of these vendors will have appropriate contracts in place and can provide confirmation on GDPR readiness. This includes any subcontractors who support these vendors. It is expected that this work will be completed before the 25 May deadline.
Vendors who are not designated ‘processors’ are being contacted and appropriate contract clauses and SLAs will be updated in a feasible timescale.
To ensure we can meet the GDPR requirement for Accountability and Governance we are in the process of gathering appropriate documentary evidence for each Initiative. We are following the guidelines provided by the ICO and will document, collect and store the required evidence so compliance with GDPR can be demonstrated.
Ongoing Monitoring & Auditing
GDPR is being embedded into all our Initiatives as an ongoing ‘business as usual’ function and therefore, will form part of the ongoing monitoring and self assessment controls process.
Auditing rights are covered in the market participants and vendor contracts.