You are not alone if the sight of more acronymised regulations has become TMTH (to much to handle); whilst everyone is still getting to grips with MiFID II, updates from MLD4, consultations on SMCR and Pensions to name a few, we are faced with another regulatory sucker punch… the General Data Protection Regulation, or it’s more common alias, GDPR.
This time 12 months ago, I started seeing emails about something called GDPR and I signed up to various webinar’s, seminar’s and breakfast meetings to see what the craic was about (although the latter was more about the Bacon Sarnies than regulation). I came out terrified – convinced that compliance life as I knew it was over and that the impending implementation of GDPR was going to fundamentally change the way firms did business. Thanks to a little coaxing from an acquaintance who works in Information Security, I was convinced that the world was not about to end. So, in the spirit of reciprocity I’m stealing his wise words and sharing them with you.
1. The ICO is your friend! I’m not saying that you will go to the pub to chat data protection over a beverage, but they are approachable if you have questions. Do not suffer in silence, if the guides and checklists on their website do not answer a question, you can pick up the phone and (albeit after a bit of a wait) they are happy to help, answer in plain English and even follow up with an email for that all-important audit trail.
2. Who, what, where, why and how: Put simply, if you haven’t already, find out whose data you hold, what the data it is, where it is stored on your systems, why it’s there (more on the why in a moment) and how you would act on a request from an individual in respect of that data. The best way to start this is with a data map – you can use programmes like Visio or if you don’t have the licences google is going to be your friend, search ‘free flow chart software’. A Data map will answer the who, what and where; but it will also direct your thinking to find out about the how and work out the why.
3. It’s all about why… and it’s not always about consent! Whilst a data subjects consent will form part of your plans, especially for any Marketing promotions you may do, it is important to understand that if data processing is necessary either to fulfil a contract or service you have with a client, or if you are under a legal obligation to process the data, then you could have a lawful basis that does not require consent. Read the ICO’s guide on Lawful bases, whist I cannot promise it is a scintillating read, it will certainly help you to evidence why you hold the data that you do.
4. If you do need consent, explicit means exactly that. Do not believe people who tell you if a data subject does not respond that you can still process their data. If you work off data lists, as many firms do, then if you don’t get that all important positive opt in, sadly, you may have to bin the list.
5. Don’t be like Mr Zuckerberg, tell people what you are going to do with their data (especially if you are sharing it with anyone else)! Communicate with your clients, tell them why you hold their data and what you’re doing with it. This can be done by issuing new privacy notices and updating your terms of business.
6. Show your working out… yes, like in school! As a financial services firm, you are (or should be) best placed to deal with the implementation of regulation and a lot of what GDPR requires you will be doing as part of your existing day to day services. Other than the obvious differences in the DPA and Data Protection Bill e.g. IP address and Biometric data, the biggest change is that it is no longer sufficient to just adhere to the regulations, you now need to show how you are adhering to it.
7. Privacy by design, not default. The GDPR D day will come and go, it is important to remember that this isn’t the end of the journey. Consider implementing a Data Privacy Impact Assessment, or DPIA (more acronym’s – sorry!) when implementing new processes or introducing new products or systems as part of your Business as Usual (BAU…. Sorry, couldn’t help squeezing in one more) process.
8. My last point, but by no means least… DO NOT PANIC. No-one, not even the gods of the ICO are expecting everyone to be 100% compliant by 25 May. As long as you can show that you are working towards it, that you understand what you have to do and as a minimum have got the key elements outlined above boxed off, then you can rest assured that you are on track.
If you are still wondering where to start, then give us a call on 0161 979 0726 to chat about how b-compliant can help lighten the GDPR burden for you.