General Data Protection Regulation FAQs

What is the General Data Protection Regulation (GDPR)?

The General Data Protection Regulation (GDPR) is a new piece of legislation that has replaced the Data Protection Act 1998. The GDPR became enforceable law on 25 May 2018 and will enhance and strengthen individual rights, increase compliance obligations and expand investigative and enforcement powers for The Information Commissioner’s Office (ICO).

It impacts how companies collect, store and use customers personal data as well as the controls and governance around these activities. The principles of data protection remain broadly similar to the previous legislation, but place more focus on organisational accountability. For full details of the GDPR, please visit the Information Commissioner’s Office (ICO) website.

What constitutes ‘personal data’?

The GDPR defines personal data as:

“any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

Personal data includes items such as:

  • Personal details
  • Family and lifestyle details
  • Education and training
  • Medical details
  • Employment details
  • Financial details
  • Contractual details (for example, good and services provided to a data subject)
  • Genetic, biometric and health data
  • Online identifiers (IP addresses, cookies).
What constitutes ‘special category data’?

There is also a subset of personal data known as ‘special category data’. This is personal data which is deemed as more sensitive under the GDPR and so requires greater safety measures to ensure its protection.

Examples of special category data include:

  • Racial or ethnic origin
  • Political opinion
  • Religious beliefs or other beliefs of a similar nature
  • Trade Union membership
  • Physical or mental health or condition
  • Sexual life
  • Biometrics

There are separate safeguards for personal data relating to criminal convictions and offences. For more information on this, please visit the Information Commissioner’s Office (ICO) website.

Does Brexit mean the GDPR won’t apply to the UK?

The government will enact the UK Data Protection Bill which will ensure that the UK needs to adopt GDPR.

Will you be making amendments to your contracts with members?

Nationwide regularly reviews its Terms and Conditions and will continue to monitor and make changes where it sees fit. We’re not looking to make explicit changes to our contracts with members. We have however updated our Fair Processing Notice to bring it in line with the demands of the regulation and improve its usability.

What are the consequences of a GDPR breach?

Where it’s identified there’s a potential breach, this must be reported to the ICO within 72 hours. Where there is a high risk, those individuals that are impacted must also be notified.

Failure to notify of a breach when required to do so could result in:

  • A fine of up to £10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher.
  • A fine of up to £20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher.
What is the difference between Data Subject, Data Controller and Data Processor?

The GDPR defines these terms as the following:

“Data subject means an individual who is the subject of personal data.”;

“Data controller means … a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.”;

“Data processor, in relation to personal data, means any personal (other than an employee of the data controller) who processes the data on behalf of the data controller.”

For more information on this, please visit the Information Commissioner’s Office (ICO) website.

At what point does Nationwide become the Data Controller?

The intermediary is acting as an independent Data Controller in respect of the personal data that they capture and process as part of their advice activities. This is to the extent that the inputting of data into Nationwide’s systems on the selection of a Nationwide product by a customer amounts to “processing”. This is on a Data Controller to Data Controller basis. This is because neither party is processing personal data for the other. Instead each is determining the purpose of the processing of that data (i.e. to introduce the business and obtain a procuration fee and the servicing of those customers).

Where the intermediary passes data over to Nationwide and Nationwide is considering whether to lend to a customer, Nationwide and the intermediary are acting as a Data Controller. This is because Nationwide is processing that data for its own purposes (i.e. to determine whether to lend or not – irrespective of whether this is at DIP or FMA stage). The intermediary is submitting that data to Nationwide for its own purposes and not under Nationwide’s instructions. As such the intermediary remains a Data Controller too.

What new rights does a customer have under the GDPR?

The GDPR gives individuals more control around how their personal information is handled, including new rights to help people understand how their data is used and how to manage their data privacy.

Customers will have enhanced rights including:

  • Right to object: the right to object to the processing of personal information any further;
  • Right to portability: the right to ask to transfer a copy of the information held about a customer – to the customer or another provider;
  • Right to rectification: the right to request to have any incorrect information, corrected;
  • Right to erasure (“right to be forgotten): the right to request the removal of all data we hold. This right isn’t absolute and only applies in certain circumstances.

For more information on the rights an individual has, please read ‘How Nationwide uses your information’.

How can I request access to my/my client’s information?

Your/your client can access information in any of the following ways:

How can I ensure my client is provided with a GDPR compliant privacy notice?

We’ve updated our fair processing notices as well as our terms of business in order to comply with the GDPR. As part of the application process, you’ll be asked to ensure that your client has seen ‘How Nationwide uses your information’, and they’ve understood how their information will be used.