Article 5 / 5

Data protectionApr 12 2018

Hints and tips to help firms get GDPR ready

Search supported by

Hints and tips to help firms get GDPR ready

ByEllie Duncan

Even if a business feels it is not ready for the new EU-wide legislation, there are some simple steps it can take and issues it can easily address in order to become compliant.

“First and foremost, firms should read and understand the GDPR itself. Involve every department, not just legal and IT,” suggests Mark Stringer, partner, UK head of wealth and asset management at Capco.

Whatever stage a business is at with implementing GDPR, now might be a good time to perform a GDPR readiness assessment, according to Mr Stringer, and document what still needs to be done.

He adds: “Create a checklist of likely regulatory and audit questions, and ensure leadership and management have the answers to them.”

Finally, Mr Stringer says firms need to: “Educate employees and strongly encourage culture and process change and embed security by design in processes and projects.”

According to Linda Gibson, director of regulatory change and compliance risk at BNY Mellon’s Pershing, the steps firms need to take ahead of GDPR are to review how they currently handle data, understand the changes they need to make to be compliant and then take action.

Mark Ehlinger, head of regulatory and professionalism services at Focus Solutions, offers the following tips:

Data minimisation exercise – identify and carry out data deletion where personal data needs to be removed.
Examine all personal data processing, and stop doing it if no lawful basis exists to continue processing.
Establish what sensitive personal data you hold, and where explicit permission to hold it doesn’t exist, either stop processing it, or address the consent with the data subject.
Review client agreements and third party supplier contracts, where any personal data flows occur via these agreements, and assess the risk which any third party may bring to your firm.
Update your privacy and fair processing notices – what they say and where these can be accessed. Making consumers aware of their data security rights within the privacy notices is good practice.
Develop a culture of openness within the firm that encourages employees to spot and report with impunity potential data breaches. Failure to report a material data breach to the ICO within 72 hours could turn out to be very bad for the firm – financially, or reputationally, or both.

“Commence high level planning to help gauge key timings and ‘must do now’ activities, such as enhancing the language for consents and how consents will be documented, creation of staff training plans, and updating privacy policies,” she urges.

In terms of action to be taken, Ms Gibson outlines:

Contact clients and prospects to obtain new consents, and build a procedure to withdraw consent, if required.
Establish and test procedures for detecting, investigating and reporting breaches.
Commence staff training to ensure that all employees understand the requirements of GDPR and their individual responsibilities for ensuring compliance to embed best practice throughout the organisation.

Firms may want to call on external help to prepare for GDPR or indeed, hire someone on a longer-term basis to maintain data protection standards within the business.

David Marchese, consultant at Gordon Dadds, says: “Unless the firm has a dedicated in-house team with expert data protection competence, they will need outside specialist help.

“One of the key points is that in some areas companies will be obliged to appoint an official data protection officer (DPO) who has in-built protections under the GDPR (for instance, they can’t be sacked for doing their job).”

He continues: “Other firms will have to decide whether to appoint one on a voluntary basis, or appoint someone (or more than one person, or an outside agency) to undertake similar tasks.”

Ms Gibson notes: “Under the regulation, it is mandatory to appoint a DPO for firms that conduct large scale processing of sensitive personal data, or if there is systematic monitoring of individuals.

“The DPO will be responsible for data protection and privacy governance to ensure GDPR compliance remains on track.”

Otherwise, there are plenty of resources available for firms who require some assistance planning for GDPR, including via the Information Commissioner's Office website.

Square Health has produced a booklet, called 'Raising the bar in data security excellence', to help firms in the planning of GDPR, which includes useful infographics such as the following:

GDPR: A summary

Source: Square Health

Mark Greenwood, regulatory policy manager at The SimplyBiz Group, draws attention to GDPR learning material which is available on its GDPR hub.

So what does a GDPR-ready firm look like? What should companies be aiming for as they prepare to meet the incoming regulation?

It’s safe to say, being GDPR ready may look quite different for some companies.

Capco has worked with a number and range of businesses to get them ready for GDPR in May.

In April, LifeQuote sent out a press release to explain its GDPR policy for the time it will hold advisers' electronic data and physical documents.

Quotation only but no application: 365 days

Application made, but no policy completed: Six years, or longer if requested by the regulator. This allows for subsequent data analysis, for monitoring, compliance and to support an application and any subsequent enquiries.

Policy in force: 50 years from the date it went on risk. This allows for any future checks relating to queries or claims.

In an accompanying statement, Neil McCarthy, sales and marketing director at LifeQuote, says: “We have already completed a process to ensure our current data storage policies comply with the GDPR. This involved destroying and anonymising some historic records as we have always had strict data storage provisions, meaning we retained almost all information in order to support advisers or insurers in the future.

"Our already stringent security protocols will remain unchanged. For this reason we also anticipate that some advisers may prefer to outsource their protection administration in order to reduce their GDPR and other data compliance risks."

Mr Stringer suggests: “Generally, best practice examples are of those firms who have excellent data architecture, good data discovery and makes full use of the available people, processes and technology to effectively manage its data.”

He sets out three specific indicators that a business is GDPR-compliant:

They know where their data physically resides, why it was collected, who uses it and for what purpose.
They can also identify personal data per individual and have a defensible disposition program that evidences why data could or could not be disposed of.
It has evidence - lots and lots of evidence of its compliance with GDPR.

For Rob Walton, chief operating officer at Intelliflo, a GDPR-compliant firm is one that has trained its staff, written its privacy notices, segregated its data and has a justification for processing all the data it holds.

He explains, if a firm could only do three things to get ready, those three things should be:

1.   Build a data inventory.
2.   Ensure you have a documented process for each of the specific ‘Rights of the individual’ under the GDPR.
3.   Train all your staff on GDPR, information security awareness and phishing awareness.

eleanor.duncan@ft.com

Hints and tips to help firms get GDPR ready

Related articles

Most Read

Related articles

Related Topics