With under 80 business days till General Data Protection Regulation (GDPR) takes effect, we wanted to provide our clients and contacts with our view as to activities you should be undertaking prior to May 25th.
- Acquire Board Backing and the Requisite Resources
If your board hasn’t acted on GDPR yet or isn’t being briefed on GDPR, it might be too late.
It is critical to note that this regulation is not solely concerned with the data of your clients and customers, but also that of your employees, vacancy applicants, and interns. This regulation will impact every department, but it will especially effect Human Resources, IT, Information Security, and Compliance.
To reach a compliant positon, a working group should be established, with weekly meetings, and a Data Protection Officer (DPO) should be appointed (as newly mandated by the regulation) this individual should have the necessary qualifications and seniority to effectively and expediently execute their function.
- Information Audit
An Information Audit is a good place to start with GDPR compliance. Understanding the scope and scale of the work at hand will enable you to identify the specific actions and activities you need to undertake and in what order. A firm wide survey is a good place to start when seeking to locate all elements of firm controlled personal data, but it will need robust follow up with each head of department by the Data Protection Officer to establish what exactly are the existing procedures and where are the gaps.
- Identify the Lawful Bases for Processing Data
All the various elements of personal data, identified as being in the firm’s possession through the Information Audit, require lawful bases for processing. Whether that’s KYC documents or an employee’s next of kin, you will need to ensure that there is a legitimate and lawful need for you to have and process that data. This activity provides a good opportunity for you to assess whether all the personal data you collect is necessary. If it is not, then safely dispose of it provided it is lawful to do so.
- Review the Associated Polices, Notices, and Process Documents
Following up on the last point, GDPR requires greater explicit notice to be provided to the data subject prior to their data being processed. As such, you should check that your policies, privacy notices, and procedures are up to date on paper and in cyberspace. Further, you should ensure that the way you acquire, record, and manage consent is watertight.
- Test Drive Data Deletion and Subject Access Request Procedures
Policy revision and drafting is important, but futile if the documents aren’t appropriately assimilated by your employees. Test drive all your procedures prior to May 25th. If possible, you should submit several Subject Access Requests to your own company and monitor how your team respond and at what speed. Further, you should send them in a variety of formats to a variety of in-firm locations to ensure that all employees know that they need to be on the DPO’s desk.
- Data Breach Procedure
GDPR requires that you have the right procedures in place to detect, report, and investigate a personal data breach. All organisations are now required to report a personal data breach to the Information Commissioner’s Office, and in some cases to the individuals concerned, in the event the data breach is likely to result in a risk to the rights and freedoms of the individuals. This is broadly interpreted and includes loss of confidentiality, financial loss, social disadvantage, and reputational damage.
Further, it’s important that your procedures can withstand complicating factors like the absence of key persons and business continuity events.
- Data Protection Impact Assessment (DPIA)
Create a Data Protection Impact Assessment Mythology and subsequently assess your most risky data processing activity to test the methodology’s appropriateness. Under GDPR, you are now required to perform a DPIA in circumstances in which your processing activity is likely to result in high risk to individuals such as:
- When new technology is being deployed
- Where a profiling operation is likely to significantly affect individuals
- Where there is processing on a large scale of special categories of data
If you confirm the level of risk is indeed high and you cannot sufficiently address it you must consult the ICO prior to proceeding.
- Outsourcing, Suppliers, and Service Agreements
Last and almost certainly always forgotten, is the analysis of the contracts, licenses, and service agreements that your firm has engaged in. Should these relationships incur the transfer of personal data, you need to ensure that the data in question is being handled to the appropriate standard. Ensure that your servers, cloud services, and marketing agencies etc. handle your data to a GDPR compliant level and do not export it to jurisdictions with lax data protection laws as you may be responsible. Ensure your legal advisor revises any new agreements to take into consideration the data exporting restrictions in GDPR.
Objectivus Financial Consulting
Please note, that these steps regarding GDPR compliance are generally phrased and are given without consideration of your firm’s unique circumstance. No guarantee is offered on your GDPR compliance should you choose to follow them independently of expert advice.
To ensure you reach a fully compliant position in time for May 25th, get in contact with one of our consultants.