Corporation of Lloyd's Privacy Management Framework

Since the introduction of new data protection legislation (“DP Legislation”) we have been busy embedding a Data Privacy Framework across our business functions and activities to ensure we are meeting the requirements of the DP Legislation for both the Data Protection Act 2018 (DPA 2018) & the General Data Protection Regulation (GDPR).

Now seems like to good time to update you on what we have been doing and how we intend to continually demonstrate our ability to comply with the DP Legislation.

Our approach

• We initiated a programme to review, identify, remediate and control the implementation of the DP Legislation.
• We set up workstreams in line with the key areas of the DP Legislation:
  • Accountability & Governance
  • Lawful Basis & Individual Rights
  • Data Management
  • Information Security
  • Third Party Relationships
  • Ongoing Monitoring & Oversight and Controls
• We conducted audits with each function in the Corporation Lloyd’s to identify the personal data across the organisation and create a record of our processing activities.
• Create an oversight and control framework to review, test and embed our accountability measures and create a culture of privacy across the organisation.

What have we done?

Accountability & Governance

Operating Model

• Across the organisation we have identified the personal information used in our key business activities and established the purpose for processing and confirmed the appropriate status of ‘Controller’, ‘Controller in Common’, ‘Joint Controller’ or ‘Processor’ for each activity.
• Market firms’ user agreements have been updated to reflect the DP Legislation requirements.
• Lloyd’s minimum standards have been reviewed and updated to incorporate data privacy requirements.
• Lloyd’s market’s infrastructure including services to support its efficient running have been reviewed and appropriate technical measures are being implemented to ensure the ‘confidentiality, integrity and availability’ of systems and services.
• Our data governance framework has been updated to reflect the roles and responsibilities for protecting data.
• A Corporation of Lloyd’s Data Protection Officer has been appointed and will monitor internal compliance, inform and advise on our data protection obligations and act as our contact point for data subjects and the supervisory authority.

Policies

• Our Data Protection, Information Security, Data Incident Management and Data and Document Retention policies and corresponding standards and employee guides have been updated to ensure all relevant elements of the DP Legislation have been applied.

Change Management

• Our Change Management methodology now includes tools to risk assess data protection at the outset of any change in our activities. These tools include:
  • Data Protection Impact Assessments (DPIA)
  • Information Security Questionnaires (ISQ)
  • Request for Proposal (RFP) templates.

Training

• Online data protection training and awareness modules have been introduced across the Corporation and have been completed by all staff.
• Our ‘Raising Awareness’ data programme will continue the reinforcement of the data protection principles.
• Functional areas identified as being particularly impacted by changes in DP legislation were provided tailored training. Topics covered included DPIAs, Subject Access Requests and Data Incident Management.

Lawful Basis & Individual Rights

• Our activities have been assessed and a lawful basis for processing has been applied to activities that process personal data.
• Legitimate Interest Assessments (LIA) have been completed for activities using legitimate interests as a lawful basis.
• In relation to activities requiring consent we are able to demonstrate how such consent has been obtained, recorded and managed.
• Privacy notices are in place for activities where we collect personal data.
• All aspects of Individual’s Rights requirements under the DP Legislation have been reviewed for all our activities.
• We have updated our processes to ensure that we respond to a subject access requests without undue delay and in accordance with the timeframes specified in the DP Legislation.

Data Management

• We completed information audits and workshops across the organisation to identify what personal data is held for all our processing activities.
• Functional level business process maps and procedures are in place for all activities that process personal data.
• Records of processing documentation is held electronically for each of our activities confirming the information required including privacy notices, records of consent, controller-processor contracts, the location of personal data, DPIAs and records of personal data breaches.
• Data sharing agreements are being executed with all our applicable branches and subsidiaries.
• Data retention practices have been updated and our removal, destruction and protection procedures are being enhanced.

Information Technology & Security

• Our IT Security standards provide guidance on the appropriate level of security that is required for our processing activities. 
• All systems and applications have been assessed and appropriate technical controls and measures are being used to protect our data.
• System architecture diagrams and a data flow library have been created and will be maintained and updated regularly.
• We have embedded the Cyber Essential framework into our technical controls.
• Encryption and/or pseudonymisation are being used when it is appropriate to do so.

Third Party suppliers

•  A full review of our suppliers has been completed, prioritising those that process personal data. Work continues to ensure all our supplier contracts meet the requirements of the DP Legislation.
• Confirmation and evidence from each vendor to demonstrate compliance with the DP Legislation has been requested and reviewed.

Ongoing Monitoring & Oversight and Controls

• A ‘Record of Processing” repository has been developed as the ‘go to’ reference point for information on our activities and how we are protecting the data being used for processing across the organisation.
• A set of data protection controls are being developed and will be integrated within our risk controls process to ensure we continually review, monitor, test and update our data protection accountabilities and measures.

Implementing our Privacy Management framework ensures that we meet our ongoing data protection accountability obligations and the measures we have adopted will allow us to demonstrate our compliance with the DP Legislation.

If you have any questions on any of the topics please email data.protection@lloyds.com