General Data Protection Regulation (GDPR) Readiness

Transcription

1 For External Distribution Canada Life UK General Data Protection Regulation (GDPR) Readiness Customers, Clients and Business Partners FAQ GDPR TP FAQ January 2018

2 Frequently Asked Questions (FAQ) Document Purpose The purpose of this document is to answer the main queries a customer, client or business partner may have about how Canada Life is preparing for the implementation of GDPR, and what it means to our business. GDPR TP FAQ January

3 Frequently Asked Questions (FAQ) 1 What is Canada Life s position on GDPR? Canada Life welcomes the privacy enhancements that GDPR is expected to bring to the European data protection landscape. Furthermore, GDPR compliments the values embedded at Canada Life, values which underpin the decisions we make in our business. Putting customers at the heart of our business is fundamental to these values and includes a commitment to protect the personal information of our customers, potential customers, or employees. This applies to data that we control and process. Furthermore, we believe GDPR delivers wider business benefits, in particular enhancing our reputation with our customers as a well-managed, customer focused business they can trust. We believe that it will also help us achieve efficiency in our operations and processes. 2 What is Canada Life doing to prepare for the GDPR? We have initiated a European-wide GDPR programme to ensure that we meet our obligations. The UK has a dedicated programme focused on delivering the requirements working to a structured project plan. We aim to deliver compliance in May We have already completed all activities associated with collating records of data processing activities. 3 How are you resourcing your GDPR Readiness programme? The programme is structured under a standard programme governance model, including steering committees, working groups, and a programme management team. We have additionally recruited and appointed Subject Matter Experts and Legal counsel to ensure that any additional data privacy readiness work identified, will ensure that Canada Life meets its obligations. Appropriate budgets have been approved to ensure that both resource and technical input is sufficient to meet our commitments. 4 How is progress with your programme deliverables being assessed? A detailed task breakdown by business function is in place including more detailed assignments of activities across those functions, and allocated to work-stream leads. The progress of those tasks is overseen by a dedicated programme team reporting in to steering committees, audit and executive sponsors. 5 With regard to the services you provide do you consider yourself to be the Data Controller or the Data Processor? We are registered with the UK Information Commissioner s Office as a Data Controller. Canada Life regards itself as a Data Controller of personal data disclosed to us by the data subject and by other entities such as professional advisers, trustees and employers in connection with the services we provide. GDPR TP FAQ January

4 6 How does Canada Life ensure overall personal data governance? We have in place, and are reviewing/updating, a full range of GDPR governance documentation, appropriate to the needs of our business, to comply with the GDPR, particularly Article 30. This is supported by a 3 Lines of Defence model for Personal Data monitoring and assurance and includes: Updated Data Protection policy and standards with appropriate Data stewardship/ownership; Review of Information Security and Cyber Security policies and procedures against GDPR requirements; Design and implementation of an approved Data Governance Model incorporating Privacy by Design standards; Updated processes for Data Privacy Impact Assessments; Review all local Record Retention and Disposal Guides against the regulations; and Maintenance of a comprehensive Data Register that catalogues both structured and unstructured data across our organisation. 7 How is personal data collected in Canada Life? We collect data in a variety of ways (including via application forms or from our business partners), including from customers and suppliers but only for legitimate purposes to assist our running of the business. We have analysed our data sources, the types of data collected, validated our reasons for processing and included where data is shared for legitimate administration purposes. Our activities in this respect include: Producing a Data Register covering both structured data (system) and unstructured data (e.g. s, Word documents) that contain personal and sensitive information. Creating data flow maps, including referencing to our IT systems/data stores, for all personal data processes. 8 Do you supply personal data relating to Pension Schemes to other suppliers (e.g. actuaries)? The parties we share information with, and how we do so is set out in our approved Data Protection Notices. We only share data for legitimate or statutory purposes concerned with the administration or analysis of policies, or with the express consent of the data subject. We have a strict policy of not selling or leasing data to any third-party. 9 Can all of the personal data Canada Life holds, relating to a particular individual, be identified across the organisation? We recognise that the GDPR establishes set time periods for responding to requests regarding personal data, including the possibility of an extension of that time where the situation warrants. We fully expect to be able to meet these requirements. We will do this by: Referring to our data catalogues where personal information flows between our business areas. Using our structured data systems (indexed databases) to locate personal records. Using a suite of systems tools to verify the location and type of any unstructured data relating to a data subject. 10 How will you prioritise all the required changes? Due to the nature and complexity of IT changes, we will prioritise system changes, so that the rights and interests of individuals, who provide their personal data, are protected on a risk based approach. GDPR TP FAQ January

5 11 How are you approaching customer interfaces/interactions to ensure they are GDPR compliant? Our objective is to ensure that our procedures and processes cover all the rights that a customer has under GDPR. This includes: Updating existing Data Protection Notices and consent clauses for customers. This includes any process where the customer interacts via a web-based portal, application or other electronic interface. Continual audit and review of our existing processes to manage breaches and complaints. Continual audit and testing of our Data Subject Access Request (SAR) process. Continual review and update of our current data rectification processes. 12 How will Canada Life ensure its third-party business partners are GDPR compliant? As part of our GDPR programme, Canada Life is undergoing a thorough exercise to update all relevant contracts with third parties. This is to ensure that any such processing of personal data takes place under appropriate contractual terms, and only where necessary and proportionate to the business need. Any Canada Life controlled customer data held by third parties will be managed though appropriate contractual arrangements, including security and retention schedules that outlines our expectations of that business partner. Relevant activities in this respect will include: Contract reviews, amendment where necessary and inclusion of Data Sharing Agreements (DSAs). Clarifying any potential co-controller relationships. Review of non-european Economic Area (EEA) data transfers and any subsequent sub-processing by our partners. Oversight and audit of third party data processing. 13 What is Canada Life s approach to record retention and data disposal? We have a Record Retention Standard and Departmental Record Retention and Disposal Guides which comply with regulatory and legal requirements. These cover data held in both structured and unstructured systems and applications. We are also supporting these Standards and Guides with the use of a data discovery and indexing tool. 14 How are printed media and other disposable material destroyed? Confidential waste paper bins will continue to be provided on all floors and business units which are, in turn, supported by an active clear desk policy. This destruction process will continue to be utilised within the business areas and overseen by function managers and data champions. 15 How does Canada Life control the transfer of data outside of the EEA? We observe all requirements for transferring personal data outside of the EEA by assessing and updating existing controls against all associated data protection rules. We will continue to do so when GDPR comes into effect. We use Model Clauses approved by the European Commission to ensure that personal data is appropriately protected when transferred outside of the EEA. We do benefit from our main headquarters being based in Canada; a country acknowledged by the European Commission as an Approved Country, due to it having strong data privacy laws in place. We are checking to see if any additional enhancements to Information Security and Cyber controls are required to meet the GDPR and are also reviewing: Contracts, where necessary, to define controller/processor relationships and to put in place data sharing schedules. Whether our current encryption and data transport controls continue to be of sufficient strength to meet not only GDPR, but also the forthcoming NISD (Network and Information Security Directive). GDPR TP FAQ January

6 16 Is a record kept of which lawful processing conditions apply to your processing activities? Our data mapping exercise includes identifying the lawful basis of data processing as appropriate. This is supported by appropriate Data Protection Notices and consent notices, robust record retention and disposal routines and ongoing audit/spot checks that processes are still in accordance with the lawful basis identified. 17 Do you have policies and procedures in place for detecting and dealing with breaches? A Risk Event Standard is in place together with a case management process to log and address incidents or breaches. Logging is managed via dedicated first line defence risk operatives. Under the GDPR programme these standards and processes are being reviewed and updated if necessary. Any updated processes will be further tested and assessed via a structured breach test and audit results. 18 Has Canada Life appointed a Data Protection Officer (DPO)? We have a designated DPO in the UK who can be contacted at the address below: Canada Life Limited, Canada Life Place, Potters Bar, Hertfordshire, EN6 5BA. Telephone How will you ensure all relevant Canada Life employees with access to personal data are properly trained? A comprehensive communication and training plan is in place, ensuring regular staff updates by a mix of communication mechanisms. This is supported by both an on-line training programme and bespoke face-to-face training activity. This programme will provide consistent, controlled, timely communications and training that aligns with our project and business goals and fosters engagement from our employees. Canada Life Limited, registered in England no Registered office: Canada Life Place, Potters Bar, Hertfordshire EN6 5BA. Telephone: Fax: Member of the Association of British Insurers. Canada Life Limited is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. CL R

7