General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a piece of legislation that has replaced the Data Protection Act 1998. It has enhanced and strengthened individual rights, increased compliance obligations and expanded investigative and enforcement powers for The Information Commissioner’s Office (ICO).

GDPR impacts how companies collect, store and use customers personal data as well as the controls and governance around these activities. The principles of data protection remains similar to the previous legislation but places more focus on the accountability of the organisation. This gives individuals more control around the handling of their personal information. This includes new rights to help people understand how we use their data and how to manage their data privacy.

Customers will have the right to:

object to the processing of personal information any further
ask to obtain the information held about them or transfer a copy to another provider
request to have any incorrect information, corrected
request the removal of all data we hold. This right isn’t absolute and only applies in certain circumstances.

Our fair processing notices and terms of business comply with the GDPR. As part of the application process, you’ll be asked to ensure that your client has seen and understood ‘How Nationwide uses your information’.

Personal data and special category data This will reveal additional content

The GDPR defines personal data as any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who is identified, directly or indirectly.

In particular by reference to an identifier such as:

a name
an identification number
location data
an online identifier
one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal data includes:

Personal details
Family and lifestyle details
Education and training
Medical details
Employment details
Financial details
Contractual details (goods and services provided to a data subject for example)
Genetic, biometric and health data
Online identifiers (IP addresses, cookies).

You can send information relating to applications to us by uploading the documents to the case in NFI Online. If you need to send an email or documents containing personal data outside NFI Online, you should ensure it's encrypted. Contact us on Broker Chat if you need to do this.

Special category data

There is a subset of personal data known as ‘special category data’. This is personal data deemed more sensitive under the GDPR and so requires greater safety measures to ensure its protection.

Examples of special category data include:

Racial or ethnic origin
Political opinion
Religious beliefs or other beliefs of a similar nature
Trade Union membership
Physical or mental health or condition
Sexual life
Biometrics

The difference between Data Subject, Data Controller and Data Processor This will reveal additional content

The GDPR defines these terms as the following:

Data subject: an individual who is the subject of personal data.

Data controller: a person who (either alone or jointly or in common with other persons) determines the purpose and manner in which any personal data are, or are to be, processed.

Data processor (In relation to personal data): a person (other than an employee of the data controller) who processes the data on behalf of the data controller.

The intermediary is acting as an independent Data Controller in respect of the personal data that they capture and process as part of their advice activities. They will input data into our systems for processing once the customer selects the Nationwide product. This is on a Data Controller to Data Controller basis. This is because neither party is processing personal data for the other and each is determining the purpose of the processing of that data. This is to introduce the business and obtain a procuration fee and the servicing of those customers.

Where the intermediary passes data over to us and we're considering whether to lend to a customer, Nationwide and the intermediary are acting as a Data Controller. We'll be processing the data for its own purposes to determine whether to lend or not. This is irrespective of whether this is at DIP or FMA stage. The intermediary is submitting that data to Nationwide for its own purposes and not under our instructions. The intermediary will remain a Data Controller.

We'll review our Terms and Conditions and will continue to monitor and make changes where it sees fit. We’re not looking to make explicit changes to our contracts with members. We have updated our Fair Processing Notice to bring it in line with the demands of the regulation and improve it's usability.

Requesting access to client information This will reveal additional content

You/your client can access information in any of the following ways:

Access our new web-form
Advise your client to contact the call centre
Advise your client to visit their local branch

Reporting a GDPR breach This will reveal additional content

Where it’s identified there’s a potential breach, this must be reported to the ICO within 72 hours. For high risk breaches, you must notify any impacted individuals.

Failure to notify a breach, when required to do so could result in:

A fine of up to £20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher.

For full details on GDPR, please visit the Information Commissioner’s Office (ICO) website.