With the General Data Protection Regulation (GDPR) just around the corner, businesses must start planning for its arrival sooner rather than later, writes Paula Tighe, information governance director at Wright Hassall
Data protection within the finance industry is not something that can be taken lightly.
Therefore, it is crucial that businesses begin preparations for the arrival of GDPR early, instead of leaving it to the last minute and then trying to establish a plan.
Despite the UK leaving the EU, you will still have to comply. Wherever your data comes from, if it is used, recorded or processed in the EU, you must comply with GDPR.
One of the most important first steps is for businesses to begin making a record of the compliance process, which will help protect their company during the initial stages of GDPR.
This Data Register should include what personal data you currently hold and the reasons for processing it, including where it came from and with whom you share it.
This will help your business to adhere to the new accountability principles established in GDPR.
GDPR compliance aims to improve standards by questioning the way in which your business currently processes data – it is not designed to stop you doing things.
Start by reviewing your existing digital and hard-copy-format privacy notices and policies – are they concise, written in clear language, easy to understand and easily found?
Finally, assess how you communicate these notices and policies with data subjects, ensuring you explain your reason for processing the data, how long it is retained and how individuals can complain to the Information Commissioner’s Office.
Rights of the individual
Post-GDPR, individuals will enjoy greater control over their personal data, including the right to have information edited or deleted upon request. Therefore, it is crucial that your business introduces new procedures that can deal with any such request effectively.
Perhaps one of the key drivers for the changes is the right for an individual to prevent their data being used for direct marketing purposes, as is the right to challenge and prevent automated decision-making and profiling.
Having transparent procedures will mitigate many potential future problems with the regulator, regardless of complaints or investigations. If your organisation correctly handles personal data under the current Data Protection Act, the change to GDPR should not be a problem. You must comply within a month when an individual makes a subject access request, to see what information you have about them. If you think the request has no merit, you can refuse, but you must tell them why and how they can complain to the regulator.
One of the trickier areas of the new regulations is handling consent for personal data to be captured and used for more than just contact.
Individuals must give clear consent for their data to be used, but must be allowed to revoke consent easily, at any time. If you change the way you want to use their data, you must obtain a new consent.
Consent must be implicit and your attempts to obtain or confirm consent will help mitigate any future problems at the hands of the regulator.
Where data processing could pose a significant risk to individuals because of the technology used, or the scale of the processing, you should undertake a Privacy Impact Assessment (PIA) before beginning the project.
These assessments will help you and the regulator decide the likely effects on the individual if their data is lost or stolen, and should form part of your ongoing processes.
Ensure you have a robust process for making the assessments, and then record it along with the outcome – a PIA is a simple step towards compliance, with the emphasis on what you do, rather than what you say you will do.
If your company processes data on a large scale, it may be worth appointing a dedicated Data Protection Officer to ensure your business is GDPR compliant at all times. It does not have to be someone within your organisation – you might choose to appoint an appropriate individual on a part-time or consultancy basis.
It is not just electronically held data that can pose a problem; you also need to consider written records, which are also covered by the regulations – ensure all your staff are trained on the correct handling of personal data.
Remember, recording the entire compliance process using your data register will help protect your organisation from potential claims during the early months of GDPR.
Those companies that cannot prove they are making an active effort to meet the new requirements will suffer greater punishment than those who can.