The General Data Protection Regulation (GDPR) comes into force on 25 May 2018.
This means another piece of legislation for your team to understand and comply with.
Here we look at the 10 things you need to know and do to ensure you meet the requirements.
What is the GDPR?
It’s a new EU regulation. It aims to strengthen and increase consistency in data protection for individuals within the EU. It also governs the export of personal data outside the EU.
It will replace the 1995 EU data protection directive (officially Directive 95/46/EC) and the UK Data Protection Act 1998 (DPA) when it comes into force.
Our blog on GDPR compliance: do you know everything you need to has more information on what the new rules mean.
In short, for most firms, the regulation will mean a change to the way you collect, store and use personal data. Maybe most importantly, it makes some requirements that were previously only applicable to B2C contacts relevant to B2B data too.
It has been suggested that GDPR has the potential to be the next PPI scandal. So if you want to minimise your chances of non-compliance, it’s essential that you understand what’s required.
What do you need to do to comply?
For many firms, wide-ranging changes to your data processing systems and procedures will be needed to confirm to the new rules.
Here we summarise what we believe are the 10 things you need to do now to prepare.
1. Get a clear understanding of the new requirements
For a long while, specifics around the regulation and what it means were in short supply. But in March this year, the Information Commissioner’s Office clarified the requirements. You can read more here about the details.
2. Audit your current approach to data protection
How far are you from what’s required under the new regulation? How do you currently store, manage and use data? How is it used? What processes do you have around consent? Understanding your start point will give you a clearer idea of the amount of work ahead of you.
3. Will you need a Data Protection Officer?
The regulation requires some organisations to appoint an in-house Data Protection Officer (DPO).
Although the rules are not 100% clear, it looks as if all public sector organisations will have to appoint one, while private firms can appoint their own DPO or outsource this role. Outsourcing, of course, comes with its own pitfalls for regulated firms (which you can read up on here).
4. Carry out a risk assessment to identify priorities
With the new regulation coming into force next year, you have limited time to comply. Carrying out a risk assessment at an early stage will enable you to identify key areas to focus on. Prioritise any systems that hold sensitive personal information.
5. Are there external sources of expertise you can draw on?
There is no shortage of GDPR-related consultancies, conferences, guides and other support. Identify whether any of these can help you to comply. A little external expertise can be a useful shortcut to achieving your goals.
6. Have a clear plan of action
Meeting the requirements in time means a clear and focused plan of attack. SMART goals with clear deadlines will help you break down GDPR requirements into manageable chunks and make a start on meeting them.
7. Get your senior managers on board
GDPR is too important – and the potential penalties too severe – for them not to be spearheaded at the very top of your firm. Firms in serious breach face potential fines of up to €20 million or 4% of the firm’s global revenue. Your senior leaders need to champion a culture where good behaviours are embedded.
8. Ensure the whole business understands the implications
Anyone in your firm who deals with data needs to appreciate the need to comply with the GDPR. Read about how it will affect your Sales colleagues and what Marketing teams in regulated firms need to do.
As a Compliance team, you need to provide clear guidance on what other areas of your business need to do.
9. Be prepared in case the Data Protection Commissioner asks you…
- Where you hold your clients’ and contacts’ data
- How it is accessed, and by whom
- How it is shared, both within and outside your organisation
- How you enable people’s personal information to ‘be forgotten’
It’s up to you to understand and be able to evidence how you are meeting the requirements.
10. Understand what you have to do if you suffer a data protection breach
Under GDPR, you will have just 72 hours to notify data subjects of a breach – or your firm may be fined. Do your processes enable you to identify and report on a breach within the required timescales? If not, you need to look at improvements
The General Data Protection Regulation is the latest in a seemingly endless list of new requirements for communications and financial promotions. With MiFID II also impacting your FPs, you have a lot on your plate.