RegulationOct 3 2017

How to prepare for GDPR

  • To understand what GDPR is.
  • To learn what processes firms will need to put in place.
  • To understand how the regulation can benefit a firm.
  • To understand what GDPR is.
  • To learn what processes firms will need to put in place.
  • To understand how the regulation can benefit a firm.
pfs-logo
cisi-logo
CPD
Approx.30min
pfs-logo
cisi-logo
CPD
Approx.30min
twitter-iconfacebook-iconlinkedin-iconmail-iconprint-icon
Search supported by
pfs-logo
cisi-logo
CPD
Approx.30min
How to prepare for GDPR
comment-speech

The conditions for consent have been strengthened, and under Article 7, consent should be “clear and distinguishable from other matters and provided in an intelligible and easily accessible form”, and there ought be some form of clear ‘affirmative action’, meaning an opt-in rather than an opt-out. If your business relies on individuals’ consent to process their data, now is the time to begin securing their approval and to validate that you have received it prior to GDPR coming into force. 

Fines

Under GDPR, fines associated with noncompliance are up to 4 per cent of annual turnover or €20 million, whichever is higher. This is the maximum fine that can be imposed upon a business for the most serious infringements, such as not requesting proper customer consent. Fines will work in a tiered approach depending on the severity of the noncompliance, and GDPR enforcement will apply to both controllers and processors.

Individuals’ rights

Individuals are granted increased rights regarding the use of their personal information, including the right to access, remove, object and transmit their data. 

Under their expanded rights, individuals have the right to know whether personal data concerning them is being processed, where and for what purposes. If the individual asks for their information, GDPR states it must be given to the individual free of charge and within a month’s period.

The right to be forgotten, also known as Data Erasure, allows individuals to require the processor and controller to erase their personal data. As outlined in Article 17, this also includes situations where the data is no longer relevant to the original purposes it was being processed for. Individuals can also object that their data be used for direct marketing purposes, limiting the ability of marketers to profile individuals for promotional purposes.

To manage this requirement, a third-party system should be considered for those firms who do not have the resources to introduce a compliance or data officer role.

Finally, individuals have the right to have their data moved to another controller “without hindrance from the controller”. For anyone who has previously struggled to move banks or phone companies, this will provide individuals with the ability to more freely move their accounts and information to another business.

Capitalising on long-term benefits

As with any new change initiative, implementation may be difficult for some firms to manage.  Yet as businesses begin to execute, monitor and review controls and procedures to be compliant with GDPR, they will see its long-term benefits. Three of these are outlined below:

Data security

PAGE 3 OF 4
A service from the Financial Times