DLG has implemented a control framework to manage privacy and security risks to meet our responsibilities under data protection legislation. Governance forums have been established to ensure privacy and security issues receives high levels of visibility. Our internal standards require all business areas to adhere to and evidence compliance with GDPR obligations, including implementing privacy by design, fulfilling data subject rights and reporting potential incidents. Security controls have been reviewed against GDPR requirements. All staff are trained on their data protection and security responsibilities.
Direct Line Group’s Privacy Programme
The Group has implemented a clear Target Operating Model to embed Privacy roles and responsibilities within 3 Lines of Defence Model. Our Privacy and Data Protection Officer (DPO) provides independent oversight and challenge as part of our second line risk function. We have embedded a first line Privacy and Information Management Team to embed privacy and data protection and information management requirements within our business areas. Regular assurance and audit activity is conducted to demonstrate adherence to our privacy standards.
Processes to fulfil requests from individuals exercising their rights under GDPR have been introduced. This will allow individuals to receive responses within prescribed timelines. Our existing incident reporting process has been enhanced to enable all incidents, breaches and near misses to be identified and escalated to the privacy team and DPO for review. This process enables DLG to assess any risk of harm to data subjects and meet requirements to notify the Information Commissioner’s Office ICO within 72 hours as prescribed under GDPR. This process also enables data subjects to be notified where required. Requirements have been added to our change governance process to enable early assessment of privacy and security risks and to develop a culture of Privacy by Design.
We apply the GDPR concept of “data minimisation” to our collection of the minimal amount of personal information necessary to fulfil our purposes for processing data. Significant investment has been made to our retention strategy so that personal information is not kept longer than required, and the defined periods have been set out within our retention schedule. Once the retention period ends, the data is either deleted, anonymised or put beyond use in accordance with the ICO guidance.
Appropriate technical and organisational measures are implemented to protect personal data. DLG has a mature security framework to support the protection of personal data. Security controls are regularly reviewed, reported on and monitored. Security controls are tested by external independent auditors for effectiveness. As part of our GDPR programme, a review of the security framework was conducted to ensure that aligned with GDPR requirements and operated in accordance with the risk based approach propagated by GDPR. Furthermore, cyber risk playbooks have been developed to help protect our business in the event of a cyber attack. All new initiatives and uses of personal data are required to undertake an impact assessment, which are reviewed by security and privacy teams for validation before the initiative can go live. This supports an approach of Security and Privacy by Design and is part of our Change governance process.
We also require all suppliers to meet our high security standards and to adhere to our Information Security Minimum Requirements. Suppliers are contractually required to meet and demonstrate adherence to these requirements. Our dedicated security assurance team conduct in-depth reviews of suppliers prior to engagement and at regular intervals to review compliance.
We have an established Privacy & Data Protection Minimum Standard. DLG has also implemented an Information Security Minimum Standard, which includes User Access Controls which have been implemented to limit access to personal data to a need to know basis, and Information Management Minimum Standards. All business directorates are required to comply with the Minimum Standards and attest and evidence compliance with each standard. The Policy and Minimum Standards Framework governs our business directorates and helps to ensure that personal and company data is protected in line with our obligations under data protection legislation and ensure adequate technical and organisational measures are in place to protect personal data.
Privacy and data security is within the remit of our Risk Management Committee, who review our Policy and Minimum Standard Framework on an annual basis. We have also established Privacy Steering Committees to review any privacy risks and developments on a Directorate basis which feed into a pan-group Privacy & Information Management Committee. Issues are escalated as required to the Operational Risk Committee and then Risk Management Committee.
All employees and contractors are required to undertake data protection, security and information management training to remind them of data protection responsibilities. This will also inform them of key processes, such as recognising and escalating data subject rights requests or potential privacy incidents. Mandatory training modules are reviewed and refreshed on an annual basis. Ad-hoc training is delivered where specific training needs have been identified. Completion of training is monitored. DLG has also implemented an extensive communication plan to remind staff of their GDPR and Security obligations to ensure vigilance is maintained.