How to prepare for GDPR

As May 25th creeps forward, some firms are burying their head in an attempt to delay taking any action, or just out and out panicking. Both reactions are in response to not knowing what the heck to do. So, we’ve trolled the internet and wracked our brains to make sense of GDPR (and how companies can have gdpr compliance) and this is what we believe you need to do to prepare for the 25th May 2018.

1. Education

So, first thing first, educate yourself. Scarily, most business don’t know what GDPR is and how it will impact them. Now, we’re not suggesting that you become the new Harvey Specter, you just need to make sure you understand the main points of GDPR and apply them to your business – then inform your staff, it is important they know of the changes.

2. Inform your clients of their rights

Get to know the eight rights your clients will have under GDPR. Once you’ve got to grips with the rights and understand them, think about putting an email together to send to your clients to inform them.

3. Check the data you currently have

The way of consent is changing, so you should check how you received any client data and how they consented to this. Some data may need to be deleted and new consent given. Using a system such as FilecenterDMS could help streamline the process as with the documents digitized it will be easy to find them to assess this.

4. Update your third party contracts

Be aware of any third parties who process personal data on your behalf. Under GDPR, you are responsible and accountable for the actions taken by third parties. A new contract will need to be drawn up between yourself and third parties which will include a remedy against the processor in certain situations of data breaches or non-compliance to GDPR rules.

5. Identify your lawful basis

To process data under GDPR in a legal manner, you need to have a ‘lawful basis’ for doing so. There are a number of principles that give you this lawful basis, but sometimes the client’s rights may overrule yours; you may require the legal assistance of a law firm like Sidley Austin to guide you through this often complicated process. To give you an example, if you are solely relying on consent as a lawful basis to process data, then the individual’s rights in this case will prevail. However, if you are holding onto the client’s data for complaint reasons, then this trumps the individual’s rights (I can’t use the word ‘trump’ seriously anymore).

6. Is your privacy notice clear and concise?

Firms have always had to provide their clients information on how their personal data is processed. Now, the policy needs to be written in clear and plain English. If every internet user were to read every privacy policy on every website they visit, they would spend 25 days out of the year just reading privacy policies! If it was your job and you worked 8 hours each day, it would take you 76 working days to complete the task! This is why GDPR wants businesses to consolidate their policies.

7. Consent

Now clients consent needs to be gathered on an opt-in basis rather than an opt-out, which will result in the death of the opt in/out boxes. Think of the new rules as offering a cup of tea. If you were to offer a client tea and they reply with ‘yes please’ then you can proceed to give them a cup of tea. But, if the client is silent or says ‘no thank you’, then you don’t proceed to give them tea. The client needs to clearly consent and if they don’t, you cannot legally process their data. As a firm, you should review how you seek, record and manage consent and whether you need to make any changes to your process.

8. ‘Subject access requests’?

Currently, a business is allowed to charge up to £10 for a client’s subject request, but this is about to change. Your business needs to be able to fulfil an access request, identify the relevant data and comply with the request within one month of receipt of said request, free of charge.

9. Children

Have you got a process in place that allows you to verify an individual’s age? This is a must as parental consent is needed if the individual is a child. GDPR states that a child under the age of 16 cannot consent. There is talk of the age being lowered to 13 in the UK but this has not been confirmed yet.

10. Data breaches

You need to ensure the right procedures are in place to detect, report and investigate a personal data breach. We cannot stress this point enough as the fine for a breach has increased to €20,000,000 or 4% of global turnover, whichever is higher. This is not a fine I would want to be on the other side of! Notification of a breach to the ICO needs to occur within 72 hours.

11. Appointing a data protection officer

Lastly, the majority of you will probably need to appoint a data protection officer. There are certain criteria that make it compulsory for some firms to appoint one. However, we would recommend appointing one regardless of whether you hit these limits. The sensitive nature of data recorded in financial services means you should be protecting your clients as best as you can. And a data protection officer will give a single point of knowledge, and person to deal with any queries / potential breaches, which is just easier all round.

We have a lil’ blog coming next week on the most frequently asked questions we’re getting on GDPR, so keep an eye out for that.