In a nutshell, GDPR will change how businesses handle their customers’ personal information. It will also give customers more say over how their data is used and stored.
We’ve pulled together experts from across the Royal London Group and created a Data Governance project team to tackle the GDPR changes.
We’re preparing for GDPR by:
The main changes made to both the documents were:
There were also a handful of changes unrelated to GDPR made to the pensions Terms of Business document:
We’ve updated our Privacy Notice for customers to explain:
Customers can read our full Privacy Notice by visiting royallondon.com/privacynotice.
Our adviser Privacy Notice explains how we use your own personal information and what your rights are. This will be available on our website royallondon.com/privacynotice from 25 May.
GDPR applies to ‘data controllers’ and ‘data processors’. The diagram below explains the difference between ‘data controllers’ and ‘data processors’ and our responsibilities under both roles:
The data controller determines the means and purpose of processing personal information. They can use a data processor to provide expertise, but the data controller has the final say in what happens with this personal information.
The data processor is responsible for using personal information in line with instructions from the data controller.
Both you and Royal London are joint, independent data controllers.
Royal London is responsible for making sure they’re clear and upfront about how they use personal information. They have a legal basis to share data with you.
You’re also responsible for making sure you’re clear and upfront about how you use personal information. You have a legal basis to share data with us - for example when you’re applying for a new product on behalf of your customer we need certain personal information to process the application.
Here are some of the things you need to consider as part of your own GDPR requirements:
As mentioned in our updated Terms of Business, we’re both responsible for our own compliance with the data protection legislation. However, we’ve noticed that some advisers are using public email providers such as Google. In this instance, we wanted to let you know that the email provider would be classed as a Data Processor under GDPR, so you should have the standard GDPR terms in your contract with them. Where you provide us with such an email address, we’re presuming that you have such agreements in place.
Both you and Royal London are independent data controllers. We’re legally required to make sure we have a legal basis for sharing data with you and we’re responsible for making sure we’re clear on how we use customers' personal information – in GDPR terms it’s called being ‘transparent’.
You’re also responsible for having a legal basis for sharing data with us and being ‘transparent’. For example - when you send us a new business application.
You’ll find everything you need to know on the ico.org.uk website. To get you started, our 'What you need to do' section above lists some of the things you need to consider.
We keep customers’ personal information for as long as it’s needed, providing we’re still using it for the same reasons we collected it. We also need to comply with regulatory requirements, meaning by default we will keep personal information for seven years after our relationship with your client has ended. Information can sometimes be kept for longer than seven years.
Our Privacy Notice explains more about this.
Legitimate interest is where a company needs to demonstrate a valid reason for using personal information.
However, customers have the right to object to us using their personal information by ticking a marketing ‘opt out’ box in our applications forms.
You can find a full list of your adviser responsibilities and more information on GDPR by visiting ico.org.uk.