EU legislation
What the GDPR!
GDPR Is Here
You are not alone if the sight of more acronymised regulations has become TMTH, too much to handle. While everyone is still getting to grips with MiFID II, updates from MLD4, consultations on SMCR and Pensions, we are faced with another regulatory sucker punch, the General Data Protection Regulation, or its more common name, GDPR.
First Impressions
Twelve months ago, I started seeing emails about something called GDPR. I signed up for various webinars, seminars and breakfast meetings to find out what it was about, although the breakfasts were more about the bacon sandwiches than regulation. I came out terrified, convinced that compliance life as I knew it was over and that GDPR would fundamentally change how firms did business. Thanks to coaxing from an acquaintance in Information Security, I realised the world was not about to end. In the spirit of reciprocity, I am sharing his wise words with you.
The ICO Is Your Friend
The ICO is approachable if you have questions. You will not meet them in a pub to chat about data protection, but they are happy to help. If the guides and checklists on their website do not answer a question, you can pick up the phone. They will answer in plain English and can follow up with an email for an audit trail.
Who, What, Where, Why and How
If you have not already, find out whose data you hold, what the data is, where it is stored, why it is there and how you would act on a request from an individual. The best way to start is with a data map. You can use programmes like Visio or, if you do not have a licence, search for free flow chart software online. A data map will answer the who, what and where, and it will also help you think about how and why.
It Is All About Why
Consent will form part of your plans, especially for marketing promotions. However, if data processing is necessary to fulfil a contract or service with a client, or if you are under a legal obligation to process the data, then you may have a lawful basis that does not require consent. Read the ICOā€™s guide on lawful bases. It may not be scintillating reading, but it will help you evidence why you hold the data.
Explicit Consent
If you need consent, explicit means exactly that. Do not believe people who tell you that if a data subject does not respond, you can still process their data. If you work from data lists, then without a positive opt in, you may have to discard the list.
Communicate With Clients
Tell people what you are going to do with their data, especially if you share it with anyone else. Communicate why you hold their data and what you are doing with it. You can do this by issuing new privacy notices and updating your terms of business.
Show Your Working
As a financial services firm, you should be well placed to implement regulation. Much of what GDPR requires you to do will already be part of your daily services. Apart from obvious differences like IP address and biometric data, the biggest change is that it is no longer enough to adhere to regulations. You now need to show how you are adhering to them.
Privacy by Design
The GDPR day will come and go. Remember, this is not the end of the journey. Consider implementing a Data Privacy Impact Assessment or DPIA when introducing new processes, products or systems as part of your business as usual process.
Do Not Panic
No one, not even the ICO, expects everyone to be 100 percent compliant by 25 May. As long as you show that you are working towards compliance, understand what you need to do, and have the key elements covered, you are on track.
If you are still wondering where to start, contact us on 0161 521 8641 to discuss how B-Compliant can help lighten the GDPR burden for you.