If you aren’t already aware, the European Union’s General Data Protection Regulation (GDPR) comes into effect on 25th May 2018, superseding the Data Protection Act 1998 (DPA).
There’s quite a lot of talk about the implications – especially with regards to penalties – but many organisations are still unprepared.
Financial advisers will need to know how the regulation will impact their business, and how they can prepare their staff.
1) Tell your staff who GDPR applies to
GDPR applies to your company if you process the personal data of any EU citizen.
So it will apply to UK citizens until we leave the EU in March 2019, and still apply post-Brexit if you hold data on EU citizens.
In any case, it’s likely any future data protection act will be essentially GDPR with a different name.
GDPR will be the responsibility of the Information Commissioner’s Office (ICO) in the UK, although it’s important to note that any European data regulator can act against a UK company.
2) Explain about consent
The definition of ‘Personal Data’ is wider with GDPR, and includes such items as genetic, mental, cultural, economic or social information – even the ‘IP Address’ of the computer a person uses to access your website can be classed as personal data.
You must prove you have explicit, clear and affirmative consent from an individual to hold their data, as well as telling them how long you’re holding it for, who you are sharing it with and how they can withdraw consent and have their data erased.
If you do share data, you will also need to make sure the other party is also compliant.
The onus is on you to prove you have done things correctly.
The safest route is to contact your customers and re-obtain consent – if they do not give it, or do not respond to your approach, you should delete their information from your databases.
Some businesses, such as pub-chain Wetherspoons, have already made the decision to delete their entire customer email database.
As more people become aware of GDPR, you can also expect more requests from individuals querying what data you’re holding.
3) Make them aware of what to do if things go wrong
You’ll have to inform the ICO of any data breach within 72 hours of discovering it, so you’ll need to consider how you’ll detect and respond to breaches.
You’ll also want to make sure you have safeguards in place – is personal data backed up regularly?
Is it accurate? Do you keep it encrypted?
Getting it wrong can be costly, as fines can go up to €20 million or 4% of global revenue.
However, whilst they are meant to be punitive it is unlikely that the ICO would want to put anyone out of business through an excessive fine.
This is just a short overview. You should visit the ICO’s website for more information, attend webinars from reputable companies (beware less-qualified firms trying to ‘cash in’ on GDPR) and consider talking to cyber security and data privacy experts on how you can best prepare.
Most of all, don’t panic – but do prepare.
You still have time to get your data in order.