As May 25th creeps forward, some firms are burying their head in an attempt to delay taking any action, or just out and out panicking. Both reactions are in response to not knowing what the heck to do. So, we’ve trolled the internet and wracked our brains to make sense of GDPR and this is what we believe you need to do to prepare for the 25th May 2018.
So, first thing first, educate yourself. Scarily, most business don’t know what GDPR is and how it will impact them. Now, we’re not suggesting that you become the new Harvey Specter, you just need to make sure you understand the main points of GDPR and apply them to your business – then inform your staff, it is important they know of the changes.
Get to know the eight rights your clients will have under GDPR. Once you’ve got to grips with the rights and understand them, think about putting an email together to send to your clients to inform them.
The way of consent is changing, so you should check how you received any client data and how they consented to this. Some data may need to be deleted and new consent given.
Be aware of any third parties who process personal data on your behalf. Under GDPR, you are responsible and accountable for the actions taken by third parties. A new contract will need to be drawn up between yourself and third parties which will include a remedy against the processor in certain situations of data breaches or non-compliance to GDPR rules.
To process data under GDPR in a legal manner, you need to have a ‘lawful basis’ for doing so. There are a number of principles that give you this lawful basis, but sometimes the client’s rights may overrule yours. To give you an example, if you are solely relying on consent as a lawful basis to process data, then the individual’s rights in this case will prevail. However, if you are holding onto the client’s data for complaint reasons, then this trumps the individual’s rights (I can’t use the word ‘trump’ seriously anymore).
Now clients consent needs to be gathered on an opt-in basis rather than an opt-out, which will result in the death of the opt in/out boxes. Think of the new rules as offering a cup of tea. If you were to offer a client tea and they reply with ‘yes please’ then you can proceed to give them a cup of tea. But, if the client is silent or says ‘no thank you’, then you don’t proceed to give them tea. The client needs to clearly consent and if they don’t, you cannot legally process their data. As a firm, you should review how you seek, record and manage consent and whether you need to make any changes to your process.
Currently, a business is allowed to charge up to £10 for a client’s subject request, but this is about to change. Your business needs to be able to fulfil an access request, identify the relevant data and comply with the request within one month of receipt of said request, free of charge.
Have you got a process in place that allows you to verify an individual’s age? This is a must as parental consent is needed if the individual is a child. GDPR states that a child under the age of 16 cannot consent. There is talk of the age being lowered to 13 in the UK but this has not been confirmed yet.
You need to ensure the right procedures are in place to detect, report and investigate a personal data breach. We cannot stress this point enough as the fine for a breach has increased to €20,000,000 or 4% of global turnover, whichever is higher. This is not a fine I would want to be on the other side of! Notification of a breach to the ICO needs to occur within 72 hours.
Lastly, the majority of you will probably need to appoint a data protection officer. There are certain criteria that make it compulsory for some firms to appoint one. However, we would recommend appointing one regardless of whether you hit these limits. The sensitive nature of data recorded in financial services means you should be protecting your clients as best as you can. And a data protection officer will give a single point of knowledge, and person to deal with any queries / potential breaches, which is just easier all round.
We have a lil’ blog coming next week on the most frequently asked questions we’re getting on GDPR, so keep an eye out for that.