<img src="https://secure.leadforensics.com/29321.png" style="display:none;">


Recommended Blogs

How to communicate compliantly with an ageing population
September’s Regulation Round-up, a monthly update from the Financial Conduct Authority, has as its hot topic on how to communicate compliantly with an ageing population. For some time now, the regulator has been concerned about the changing demographic – the growth in the number of older people and...
Make your FCA visit a success: why working with Marketing is key
So the Financial Conduct Authority has announced that it plans to visit your firm. We’re willing to bet that your Marketing team aren’t the first people you think of when it comes to preparation. But they can be vital to success. Here we outline the 6 reasons why. Why is the Financial Conduct...
How to write Compliance-ready content first time
  This stressful scenario is only-too familiar… You desperately need to get out that last-minute financial promotion You’re up against the clock – but you’ve drafted some content that’s been signed off by the business You’re nearly there…and then Compliance steps in And their amendments mean it’s...

10 things you need to know for successful GDPR compliance

Steve Coleman

Compliance and Regulations

The General Data Protection Regulation (GDPR) comes into force on 25 May 2018.

This means another piece of legislation for your team to understand and comply with.

Here we look at the 10 things you need to know and do to ensure you meet the requirements.

What is the GDPR?

It’s a new EU regulation. It aims to strengthen and increase consistency in data protection for individuals within the EU. It also governs the export of personal data outside the EU.

It will replace the 1995 EU data protection directive (officially Directive 95/46/EC) and the UK Data Protection Act 1998 (DPA) when it comes into force.

Our blog on GDPR compliance: do you know everything you need to has more information on what the new rules mean.

In short, for most firms, the regulation will mean a change to the way you collect, store and use personal data.  Maybe most importantly, it makes some requirements that were previously only applicable to B2C contacts relevant to B2B data too.

It has been suggested that GDPR has the potential to be the next PPI scandal. So if you want to minimise your chances of non-compliance, it’s essential that you understand what’s required.

What do you need to do to comply?

For many firms, wide-ranging changes to your data processing systems and procedures will be needed to confirm to the new rules.

Here we summarise what we believe are the 10 things you need to do now to prepare.

  1. 1. Get a clear understanding of the new requirements

For a long while, specifics around the regulation and what it means were in short supply. But in March this year, the Information Commissioner’s Office clarified the requirements. You can read more here about the details.

  1. 2. Audit your current approach to data protection

How far are you from what’s required under the new regulation? How do you currently store, manage and use data? How is it used? What processes do you have around consent? Understanding your start point will give you a clearer idea of the amount of work ahead of you.

  1. 3. Will you need a Data Protection Officer?

The regulation requires some organisations to appoint an in-house Data Protection Officer (DPO).

Although the rules are not 100% clear, it looks as if all public sector organisations will have to appoint one, while private firms can appoint their own DPO or outsource this role. Outsourcing, of course, comes with its own pitfalls for regulated firms (which you can read up on here).

  1. 4. Carry out a risk assessment to identify priorities

With the new regulation coming into force next year, you have limited time to comply. Carrying out a risk assessment at an early stage will enable you to identify key areas to focus on. Prioritise any systems that hold sensitive personal information.

  1. 5. Are there external sources of expertise you can draw on?

There is no shortage of GDPR-related consultancies, conferences, guides and other support. Identify whether any of these can help you to comply. A little external expertise can be a useful shortcut to achieving your goals.

6. Have a clear plan of action

Meeting the requirements in time means a clear and focused plan of attack. SMART goals with clear deadlines will help you break down GDPR requirements into manageable chunks and make a start on meeting them.

  1. 7. Get your senior managers on board

GDPR is too important – and the potential penalties too severe – for them not to be spearheaded at the very top of your firm. Firms in serious breach face potential fines of up to €20 million or 4% of the firm’s global revenue. Your senior leaders need to champion a culture where good behaviours are embedded.

  1. 8. Ensure the whole business understands the implications

Anyone in your firm who deals with data needs to appreciate the need to comply with the GDPR. Read about how it will affect your Sales colleagues and what Marketing teams in regulated firms need to do.

As a Compliance team, you need to provide clear guidance on what other areas of your business need to do.

  1. 9. Be prepared in case the Data Protection Commissioner asks you… 

  • Where you hold your clients’ and contacts’ data
  • How it is accessed, and by whom
  • How it is shared, both within and outside your organisation
  • How you enable people’s personal information to ‘be forgotten’

It’s up to you to understand and be able to evidence how you are meeting the requirements.

  1. 10. Understand what you have to do if you suffer a data protection breach

Under GDPR, you will have just 72 hours to notify data subjects of a breach – or your firm may be fined. Do your processes enable you to identify and report on a breach within the required timescales? If not, you need to look at improvements

The General Data Protection Regulation is the latest in a seemingly endless list of new requirements for communications and financial promotions. With MiFID II also impacting your FPs, you have a lot on your plate.

If you want a refresher on financial promotions compliance, you can download our Compliance Guide to Financial Promotions. You can get your free copy of the Guide here.

Compliance Guide to Financial Promotions

Topics: Compliance

Subscribe to our weekly blog

Tips and best practice for Compliance teams, along with the latest news and views.

  • 2018-02-16 11:36:56 New GDPR update from FCA and ICO

     Last week (8 February), the Financial Conduct Authority and Information Commissioners Office issued an update on the EU General Data Protection Regulation (GDPR). Here we summarise the update and...

    Learn More
  • 2018-02-09 16:53:14 Who should be responsible for compliance in your firm?

     I read an interesting article this week, which posed a good question: Who is responsible for compliance? While the article focuses on how responsibility should be divided between a regulated firm and...

    Learn More
  • 2018-02-09 11:05:09 Concerns about PRIIPs and KIDs continue to make headlines

     This week, there has been no shortage of news about PRIIPs and in particular, the requirements for new Key Information Documents (KIDs).

    Learn More