On 25th May 2018, the EU General Data Protection Regulation (GDPR) will come into effect and companies need to understand the impact. GDPR builds on the current law, and brings the protection of personal data into the modern digital world with the accountability squarely on the business.
In particular, companies will need to review their current data protection compliance and make sure they have the right policies and procedures to detect, report and investigate a personal data breach. For financial adviser firms this translates to controlling and safeguarding client data – where and how they acquired it, how and who it is shared with and how and where the data is stored.
This will include internal data held by the company but just as importantly external information gathered from and shared with their clients. For example, the request and receipt of mortgage application personal information via the client’s unsecure email places a substantial amount of their personal information at risk and outside the control of the company.
Here is a checklist of what advisers need to know and do to ensure they remain compliant in a post GDPR world.
- Understand your data Arrange an information audit, ensuring you document what personal data you hold, where it is stored, who can access it and who it is shared with both internally and externally.
- Understand clients’ rights Check that your privacy notices explain what and why you are collecting personal data and how you can evidence the deletion of such data to the client as well as provide electronic copies upon request.
- Data Compliance by design Data protection is a business issue and requires much more than a technical IT solution.
- Develop a data safeguarding culture Appoint a Data Protection Officer who support the education of staff and reports to the Board providing regular updates your data compliance policies, issues, risks, breaches or standards that require enhancements.
- Subject Access Request (SAR) Plan how you will provide information from a SAR within the GDPR timescales and in a compliant format.
- Data breaches Ensure that you have the correct procedures to investigate, detect and report data breaches to all parties affected both internal, to clients affected and within your wider network, within GDPR timescales.
- Internal data Review your internal data security, antivirus and threat protect to safeguard your corporate environment.
- Data encryption Implement procedures to protect personal data against unauthorised or unlawful processing of data you request or store, such as the use of encryption. Even if your email server is secure the information may be unencrypted at the client end.
- Client communications Review how you communicate and share information with your clients, what information you request, how it is transferred copied and stored – at their end as well as yours.
- Data access Ensure that ALL personal data relating to a client is stored in one place, in an encrypted state that can be accessed and deleted upon request.
- Client consent Use GDPR to inform you clients that you will safeguard their information and never request or exchange personal information from them without secure transfer, that their data will be stored securely and not shared without their knowledge.
- Client service Provide your clients with an electronic and comprehensive trail of all communication in an easy to access transparent format that they can access via their chosen electronic device.
- Formal processes must be put in place to ensure the quality of data. It makes sense for business, as well as data security, to ensure that the data an organisation holds is as accurate as possible. However, GDPR asks that ‘every reasonable step’ is taken to ensure the accuracy of data held and that inaccurate data is erased or rectified without delay.
- You will be liable for ensuring that your entire supply chain adheres to GDPR requirements. When purchasing and sharing data (for example, if you pass data to a third party to conduct a mailing), you are responsible for undertaking due diligence to ensure that every part of your supply chain meets the GDPR rules.
- The rules are more stringent regarding data subject consent. The existing Data Protection Act does state that consent to use their details must be given by the data subject, however, the GDPR will put a higher burden upon establishing the validity of the data and the data subject must be fully informed of their right to withdraw consent to use their details.
The Information Commissioner’s Office (ICO) must be informed if a data breach occurs. Again, not a big change here for most firms, as it already recommended that any serious breaches should be reported. The GDPR will make this mandatory, and introduce a new process and timeframes. The ICO have provided a useful checklist to help firms ensure they are fully compliant with the requirements of GDPR, you can find it online.