GDPR - one year on
10 May 2019
Is it really almost a year ago that the new GDPR regime (DPA 2018 in the UK) was implemented? Well, 25 May came and went, and we carried on - we wrote and published our new Privacy Statements, did our data audits, trained the staff and updated all sorts of material and processes.
I am sure that in some firms, this is now a distant memory and it’s very much business as usual and the hullaballoo has been forgotten about (Y2K similarities perhaps?) But, therein lies a potential problem waiting to surface.
An on-going task
GDPR was not a single job to deal with and park, like most regulation, getting it in place is sometimes the easy bit (although I admit, it may not seem like it!) Keeping it up to date and relevant is not to be taken lightly and is an ongoing task which links directly to a firm’s culture and governance.
- Did you for example, revisit your data audit and is your legal basis for processing still justified?
- Has your marketing strategy changed? Have you checked that your targets are registered with the Telephone Preference Service (TPS)? Is this checked on a regular basis?
- Do you automatically require clients to opt in to market, which was one of the key changes?
Alas, we hear of firms (not just financial services) who do not check the TPS which can cause the Information Commissioners Office (ICO) to look more closely.
Reporting data breaches
Anecdotal evidence from the ICO has pointed to a very significant increase in firms who are self-reporting data breaches. This is a good position in many ways as it shows that the matters are being taken seriously. However, the ICO does have a concern that many of these reports are not actually serious enough to warrant a breach notification and can be dealt with ‘in house.’ So the message here is that firms should revisit what the ICO and the Data Protection Act 2018 classify as a reportable breach and ensure that internal procedures reflect what is needed.
Practical steps brokers can take - twelve months on, now is the time to check that you have:
- Reviewed and updated your initial Data Audit
- Reviewed your legal basis for processing for relevance
- Reviewed and updated your privacy statements
- Carried out refresher training for staff
- Reviewed and updated any marketing plans
- Reviewed your opt in strategy
- Carried out a full review of all your GDPR procedures.
Financial services will always be under ICO scrutiny and although we’ve seen little visible activity, that isn’t to say that anyone should be complacent. Data protection forms part of the Business Model threshold condition and breaches will not be seen favourably by the FCA which in turn may provoke a detailed investigation into other business practices. Like most things, prevention is better than cure.