GDPR in 5 easy(ish) steps

On Wednesday we had the pleasure of attending Nucleus’ GDPR masterclass presented by Phil Young. Phil shared his wisdom with us which made us reflect as a business, what we and advisers need to do to be compliant by 25th May.

These are the top 5 things we took away from the event:

  1. There has been a lot of confusion around SMEs appointing Data Protection Officers. As it stands, small businesses under GDPR with less than 250 employees (so most IFAs) have reduced obligations in terms of documenting processes and carrying out data impact assessments. However, this exemption does not apply to processes which are higher risk and include ‘special category data’. Individual’s data surrounding their health, racial or ethnic origin, their political beliefs etc. are classed as special category data. All IFAs will have this type of information on their clients and therefore need to appoint a DPO.


  1. B2B marketing is not caught under GDPR, wahoo! So, if you send marketing pieces to the company email e.g., this is not caught under GDPR. However, if you are sending marketing pieces to an individual, regardless of it being their work email, or their personal email, it will fall under GDPR. So be careful who you are sending the marketing to!


  1. We know most companies use DropBox, as do we. It’s easy and convenient. The advice we are relaying to you is to purchase the business DropBox version. From this you can choose which satellite your details will go to and from. If you choose one based within the EU (which you can) your data will never leave the EU and therefore should not breach GDPR, irrespective of it being an American based company. Although they do not specifically say this, it implies it.


  1. A Privacy Impact Assessment. Didn’t know this was a thing? No, us either to be honest. Basically, you need to identify the most important and high-risk data you process, and what action you need to take to protect this data. You should be sending them to every third party you deal with, so you can understand how they store their data and if you think your data is safe with them. After all, you’ll be held responsible under GDPR, not the third party.


  1. And last but certainly not least, the process of notifying your client. Now you all know you need to notify your client as well as the ICO when a breach occurs, but what do you say to them? Yesterday we received some handy pointers:
    • Tell them what has happened – was it a personal target or incidental?
    • The possible consequences – identify theft, fraudulent withdrawals of money
    • What steps you have taken – notifying the ICO, the police, platforms, life companies, fund groups.
    • Steps the client can take – contacting bank, DVLA, request a copy of your credit file, checking their junk mail etc
    • Tell your clients to change their passwords
    • Get them to monitor their accounts for any suspicious activity.

As time goes on, we all seem to understand GDPR that little bit more, and hopefully by 25th May, we will all be experts and find this stuff a breeze… We can dream, right?!