Software - How Data Privacy will impact the actuarial profession


A battle has been raging in Europe over the future regulation of data privacy. Whatever the result, the outcome the will significantly impact the actuarial profession. Back in 2013, the Information Commissioner’s Office issued guidance on the identifying who, under the Data Protection Act 1998 (DPA), was a data controller or a data processor. The ICO’s view was that professionals providing specialist services were data controllers, rather than data processors.

 By Mark Gleeson, Partner (Barrister), Squire Patton Boggs (UK) LLP
 
 This issue is significant because only a data controller has statutory duties under the DPA. A data processor, on the other hand, only has contractual obligations to its client.

 The Institute and Faculty of Actuaries (IFoA) issued its own guidance in 2013, which was superseded by new guidance in August 2014. In short, the IFoA stated that “Scheme Actuaries, to the extent that they are fulfilling their statutory functions, are likely to be treated as data controllers for the purpose of the [DPA]”. In those circumstances, Scheme Actuaries must comply with the DPA in full and can be subject to enforcement and monetary penalties of up to £500,000 for non-compliance. Consequently, many firms have been engaging with their clients to draw up new terms of business to reflect this position and to manage the additional duties and liabilities that being a data controller brings.

 While the actuarial profession has been dealing with this change in status, more significant changes have been under discussion in Brussels. In 2012, the European Commission published a draft General Data Protection Regulation (the GDPR) with the intention of reforming the 1995 Data Protection Directive (which is implemented into UK law by the DPA). One of the purposes of the GDPR is to harmonise data protection law across the EU Member States. The draft GDPR is highly controversial and has been described as one of the most heavily lobbied pieces of regulation in the history of the EU.

 After much argument, the European Parliament agreed its compromise text on the GDPR in March 2014. The European Council agreed its own version on 15 June 2015. The GDPR is now the subject of a tripartite process (trilogue) between the Commission, Parliament and Council, through which the three parties must reach an agreement on the text. Once agreement has been reached, and the final draft adopted, there will be a two year implementation period after which the GDPR will be enforceable.

 There are some provisions in the draft GDPR which will, if adopted, impact on the actuarial profession.

     
  1.   The GDPR will, for the first time, impose legal obligations on data processors, as well as data controllers. Therefore, a Scheme Actuary or firm will be under enforceable legal duties in respect of any of their data processing.
  2.  
  3.   The processing of data will need to meet stricter legal conditions e.g. consent will become much harder to rely on.
  4.  
  5.   Controllers will be obliged to give very detailed information to individuals about the processing of their data.
  6.  
  7.   Controllers will need to have in place, and ensure the effectiveness of, policies and procedures to comply with the GDPR. External validation of those measures may be required.
  8.  
  9.   There will be additional obligations to comply with principles of privacy by design and by default. Controllers and processors will have to perform data protection impact assessments.
  10.  
  11.   Records of the data processing activities of controllers and processors will need to be kept and maintained.
  12.  
  13.   All actuarial firms (whether acting as a controller or processor) will be under a duty to appoint a data protection officer if they have more than 250 employees (Commission Text) or process the data or more than 5,000 individuals in a year (Parliament text).
  14.  
  15.   There will be compulsory breach reporting for controllers to the relevant data protection authority and, in some cases, to the affected individuals. A processor will be obliged to notify the controller in the event of a breach.
  16.  
  17.   Individuals’ rights will be enhanced e.g. right of subject access, right of data portability, right to be forgotten and right to object.
  18.  
  19.   Anonymous data remains outside the scope of the law. However, pseudonymous data (data which would allow the identification of an individual when combined with other data) is caught by the GDPR. Actuarial firms will need to assess whether the processes they use to de-personalise data are sufficient to render the data anonymous.
  20.  
  21.   Sanctions for breaches of the GDPR by both controllers and processors could result in fines of €1 million or 2% of annual worldwide turnover, whichever is greater. Even higher fines have been proposed.
  22.  
  23.   Data subjects who have suffered damage as a result of non-compliant processing will have a right of compensation against a controller or processor. Class actions may also be possible.

 The proposed changes are far-reaching for all organisations that process personal data and could prove costly.
 The draft GDPR will change and actuarial firms and Scheme actuaries should pay careful attention to the developments in Brussels.

 It is possible that adoption could occur in 2015 with implementation in 2017. In view of this, and to start on the front foot when the GDPR is finalised, it would be prudent to undertake assessments to ensure that the current processing of personal data complies with the DPA and with client agreements.

Back to Index


Similar News to this Story

D Day 10 Facts
On D-Day, 6 June 1944, Allied forces launched a combined naval, air and land assault on Nazi-occupied France. The 'D' in D-Day stands simply
Mike Johnson joins Hymans Robertson after two decades at Aon
Hymans Robertson has appointed Mike Johnson to join its Birmingham office as a Partner in DB Investment. He will focus on growing the office’s Defined
Up to 55x faster modelled results with Remetrica V8
As analysts, you require faster runtimes and more efficient ways to build and expand risk and capital models. As management turns to modelled insights

Site Search

Exact   Any  

Latest Actuarial Jobs

Actuarial Login

Email
Password
 Jobseeker    Client
Reminder Logon

APA Sponsors

Actuarial Jobs & News Feeds

Jobs RSS News RSS

WikiActuary

Be the first to contribute to our definitive actuarial reference forum. Built by actuaries for actuaries.