Preparing for the General Data Protection Regulation
Riona Mulherin is head of marketing and operations at Paradigm Mortgage Services
Change is a constant for all advisory firms – whether we like it or not – and no sooner do we feel comfortable with the status quo that we’re moved onto the next step in terms of compliance/regulatory requirements.
It might be just over a year away, but the General Data Protection Regulation (GDPR) will come into force on 25 May 2018 and it will affect all firms, and therefore requires understanding and preparatory steps ahead of implementation. The good news is that many of the GDPR concepts and principles are in line with the current Data Protection Act (DPA) however even firms that are complying with the current law will need to build from there to meet the new requirements.
The Information Commissioner’s Office (ICO) advises firms to start preparing now in order that they are fully compliant in May next year. To assist in doing so, they have produced a document, ‘Preparing for the General Data Protection Regulation (GDPR)’, which lists 12 steps for immediate action, and we at Paradigm strongly recommend that firms review these steps as a starting point to see what, if any, further action may be required ahead of the new rules being introduced. You can read the full ICO document here.
There are a number of key points in the GDPR which need to be considered. They are as follows:
• The GDPR refers to consent and explicit consent. Under the GDPR there will be some form of clear affirmation required from an individual, and things such as pre-ticked boxes will not constitute consent. When a firm does obtain consent, they will need to keep a record of this. If of course you already obtain consent in a manner that meets the new requirements under the GDPR then there will be no problem, however it is necessary to be sure of this. If your current consent does not meet the new standards, you will need to go through the process of gaining consent again.
• Under GDPR individuals will have certain rights to obtain confirmation that their data is being processed correctly and to have access to all personal data that is held about them. This is similar to the current subject access right however data of course must now be processed in accordance with GDPR standards and not just DPA.
• Individuals will also have the right to have all personal data rectified if it is inaccurate or incomplete. There will also be a right to have the information ‘forgotten’ – there are more details provided in the overview document and it is crucial that firms have a process to follow in case this is requested.
• The GDPR will introduce a duty on all organisations to report certain types of data breaches to the relevant supervisory authorities and in some cases to the individuals themselves. For example, if personal details of a client’s records were inappropriately accessed due to a lack of internal controls. Clearly if suitable processes and policies are in place the risk of this will be significantly reduced.
These are just some of the crucial points for firms to consider and understand, before building them into their current activities. However, we would recommend that all firms read the overview document to see how it may affect them specifically.
As a general rule, we feel strongly that protecting and attributing value to your clients’ personal, and often sensitive, data as well as only sharing it where relevant and necessary is of great importance and should be best practice within firms anyway.
As mentioned, firms do have over a year to ensure their compliance but as we all know, it’s better to begin work now in order to implement all the requirements rather than leaving it to the last minute. Paradigm will continue to provide further details on this upcoming regulation via our normal email updates and regulatory bulletins, many of which are made available to the wider intermediary market.