12 things you need to know about the General Data Protection Regulation (GDPR)
GDPR will replace the 1998 Data Protection Act (DPA) on 25 May 2018 and organisations should already have taken steps to ensure they are compliant. However in our discussions with financial advisers, there still seems to be some confusion in certain areas and as a result, we thought it appropriate and timely to share the information which Brooks Macdonald have prepared to helps advisers.
Brooks Macdonald have taken the key points of the Information Commissioner’s Office (ICO) 12 step-checklist and summarised how these may affect professional advisers. You can access the full article on their website (in parts one and two), and below we have selected 5 key points which should help towards ensuring compliance.
Given GDPR’s far-reaching implications, companies should be fully aware of the impact it will have on the way they operate and therefore, the changes that they will need to make in order to be compliant.
Last minute preparations are likely to result in breaches. GDPR will affect adviser marketing as well as IT, HR, front and back-office systems; all decision makers for these business areas will need to be aware of the legislation and its implications.
Advisers should consider staff training or communications programmes to educate those involved in the processing of personal data about the new requirements and processes in place.
Any data relating to an identifiable person, or from which a person can be identified, constitutes personal data. Companies must be aware of what type of personal data they store, where it came from and who they share it with. There are requirements in place for correcting inaccurate data and companies will have to be able to demonstrate that they comply with these, as well as GDPR’s other data protection principles.
Advisers need to ensure that any personal data they hold, whether physically or digitally, stored in archive facilities, in their CRM system, back office systems, or platforms is relevant and accurate. Processes should be in place to keep such data secure, up to date and compliant with the rights of their clients.
Communicating privacy information
Companies need to make individuals aware of how they intend to use their personal data. If companies already have privacy notices in place, these may need to be updated to comply with GDPR’s more robust requirements.
The language used by adviser to inform individuals of how their data will be used should be clear and concise. Advisers will also need to clarify whether personal data will be passed on to third parties and communicate this to individuals in their privacy notices.
Consent means offering control and choice to individuals on how their personal data is used. When seeking consent, companies must be concise and specific: opt-ins only constitute consent when they are then brought about by positive action (ticking a box, rather than failing to un-tick a pre-ticked box).
The standard of consent has been significantly enhanced from that under DPA – it cannot be inferred as the result of inactivity and there must be simple means for individuals to withdraw consent. Advisers should take steps to satisfy themselves that their existing consents fulfil the enhanced requirements and to have procedures in place to enable them to suppress data where consent has been withdrawn.
Under GDPR, all organisations are duty-bound to report certain types of breach, both to the ICO and to the individuals affected. Companies must therefore be able to detect and report personal data breaches.
Adviser firms considered as data controllers will need to review their policies and procedures for breach detection and assess any third-party systems to ensure they are compliant and will enable them to identify breaches appropriately. Any breaches need to be reported to the ICO within 72 hours.
The other points covered in the full document are:
» Individual’s rights
» Subject access requests
» Lawful basis for processing personal data
» Data protection by Design and Data Protection Impact Assessments
» Data Protection Officers (DPOs)