Data Privacy

Summary

The Group has implemented a control framework to manage privacy and security risks to meet our responsibilities under data protection legislation. Governance forums have been established to ensure privacy and security issues receive high levels of visibility. Our internal standards require all business areas to adhere to and evidence compliance with GPDR obligations, including implementing privacy by design, fulfilling data subject rights and reporting potential incidents. Security controls have been reviewed against GDPR requirements. All staff are trained on their data protection and security responsibilities.

Direct Line Group’s Privacy Programme

The Group has implemented a clear Target Operating Model to embed Privacy roles and responsibilities within its Three Lines of Defence Model. Our Privacy and Data Protection Officer provides independent oversight and challenge as part of our second line risk function. We have embedded a first line Privacy and Information Management Team to embed privacy and data protection and information management requirements within our business areas. Regular assurance and audit activity is conducted to demonstrate adherence to our privacy standards.

GDPR

Then Group has implemented an extensive programme to ready our business areas to meet requirements introduced by the General Data Protection Regulation. This included processes to enable the Group to demonstrate accountability and its adherence to GDPR obligations. Records of processing activities have been documented and our privacy notices refreshed to provide greater transparency to individuals as to how their personal information will be processed. Processes to fulfil requests from individuals exercising their rights under GDPR have been introduced. This allows individuals to receive responses within prescribed timelines. Our existing incident reporting process has been tightened following introduction of GDPR to enable prompt escalation and assessment of potential incidents, to allow GDPR notification requirements to be met. Requirements have been added to our change governance process to enable early assessment of privacy and security risks and to develop a culture of Privacy by Design.

Policies

We have an established Privacy & Data Protection Minimum Standard. The Group has also implemented an Information Security and Information Management Minimum Standards. All business directorates are required to comply with the Minimum Standards and attest and evidence compliance with each standard. Our Policy and Minimum Standard Framework is reviewed and refreshed on an annual basis with oversight provided by our Risk Management Committee. These documents govern our business directorates and help ensure that personal and company data is protected in line with our obligations under data protection legislation.

Training

All employees and contractors are required to undertake data protection, security and information management training to remind them of data protection responsibilities. This informs them of key processes, such as escalating data subject rights or potential incidents. Mandatory training modules are reviewed and refreshed on an annual basis. In addition, ad-hoc training is delivered where specific training needs have been identified. Completion of training is monitored. The Group has also implemented an extensive communication plan to remind staff of their GDPR and Security obligations to ensure vigilance is maintained.