With only just over a month to go before GDPR is introduced, firms do not have long to prepare.
Even if a business feels it is not ready for the new EU-wide legislation, there are some simple steps it can take and issues it can easily address in order to become compliant.
“First and foremost, firms should read and understand the GDPR itself. Involve every department, not just legal and IT,” suggests Mark Stringer, partner, UK head of wealth and asset management at Capco.
Whatever stage a business is at with implementing GDPR, now might be a good time to perform a GDPR readiness assessment, according to Mr Stringer, and document what still needs to be done.
He adds: “Create a checklist of likely regulatory and audit questions, and ensure leadership and management have the answers to them.”
Finally, Mr Stringer says firms need to: “Educate employees and strongly encourage culture and process change and embed security by design in processes and projects.”
According to Linda Gibson, director of regulatory change and compliance risk at BNY Mellon’s Pershing, the steps firms need to take ahead of GDPR are to review how they currently handle data, understand the changes they need to make to be compliant and then take action.
“Commence high level planning to help gauge key timings and ‘must do now’ activities, such as enhancing the language for consents and how consents will be documented, creation of staff training plans, and updating privacy policies,” she urges.
In terms of action to be taken, Ms Gibson outlines:
- Contact clients and prospects to obtain new consents, and build a procedure to withdraw consent, if required.
- Establish and test procedures for detecting, investigating and reporting breaches.
- Commence staff training to ensure that all employees understand the requirements of GDPR and their individual responsibilities for ensuring compliance to embed best practice throughout the organisation.
Firms may want to call on external help to prepare for GDPR or indeed, hire someone on a longer-term basis to maintain data protection standards within the business.
David Marchese, consultant at Gordon Dadds, says: “Unless the firm has a dedicated in-house team with expert data protection competence, they will need outside specialist help.
“One of the key points is that in some areas companies will be obliged to appoint an official data protection officer (DPO) who has in-built protections under the GDPR (for instance, they can’t be sacked for doing their job).”
He continues: “Other firms will have to decide whether to appoint one on a voluntary basis, or appoint someone (or more than one person, or an outside agency) to undertake similar tasks.”
Ms Gibson notes: “Under the regulation, it is mandatory to appoint a DPO for firms that conduct large scale processing of sensitive personal data, or if there is systematic monitoring of individuals.
“The DPO will be responsible for data protection and privacy governance to ensure GDPR compliance remains on track.”
Otherwise, there are plenty of resources available for firms who require some assistance planning for GDPR, including via the Information Commissioner's Office website.
Square Health has produced a booklet, called 'Raising the bar in data security excellence', to help firms in the planning of GDPR, which includes useful infographics such as the following: