GDPR - one year on

10 May 2019

Is it really almost a year ago that the new GDPR regime (DPA 2018 in the UK) was implemented? Well, 25 May came and went, and we carried on - we wrote and published our new Privacy Statements, did our data audits, trained the staff and updated all sorts of material and processes.

GDPR


I am sure that in some firms, this is now a distant memory and it’s very much business as usual and the hullaballoo has been forgotten about (Y2K similarities perhaps?) But, therein lies a potential problem waiting to surface.

An on-going task

GDPR was not a single job to deal with and park, like most regulation, getting it in place is sometimes the easy bit (although I admit, it may not seem like it!) Keeping it up to date and relevant is not to be taken lightly and is an ongoing task which links directly to a firm’s culture and governance. 

For many firms, not much will have changed over the last twelve months when looking at the business strategy, but what if there has been a new development such as access to new markets which brings in a new customer tranche or acquiring another firm or book of business? How has this been managed and how does this sit with the more stringent GDPR requirements to manage data effectively?
  • Did you for example, revisit your data audit and is your legal basis for processing still justified?
  • Has your marketing strategy changed? Have you checked that your targets are registered with the Telephone Preference Service (TPS)?  Is this checked on a regular basis?
  • Do you automatically require clients to opt in to market, which was one of the key changes?

Alas, we hear of firms (not just financial services) who do not check the TPS which can cause the Information Commissioners Office (ICO) to look more closely.

When it comes to opting in, again, we see on a regular basis firms who require clients to opt out and sadly, some are in the financial services sector. We haven’t heard of any significant enforcement activity from the ICO, they will be keeping a keen eye on what is happening. 

Reporting data breaches

Anecdotal evidence from the ICO has pointed to a very significant increase in firms who are self-reporting data breaches. This is a good position in many ways as it shows that the matters are being taken seriously. However, the ICO does have a concern that many of these reports are not actually serious enough to warrant a breach notification and can be dealt with ‘in house.’ So the message here is that firms should revisit what the ICO and the Data Protection Act 2018 classify as a reportable breach and ensure that internal procedures reflect what is needed.

Practical steps brokers can take - twelve months on, now is the time to check that you have:

  • Reviewed and updated your initial Data Audit
  • Reviewed your legal basis for processing for relevance
  • Reviewed and updated your privacy statements
  • Carried out refresher training for staff
  • Reviewed and updated any marketing plans
  • Reviewed your opt in strategy
  • Carried out a full review of all your GDPR procedures.
Remember, it’s essential to document all this to evidence your robust approach. 

Conclusion

Financial services will always be under ICO scrutiny and although we’ve seen little visible activity, that isn’t to say that anyone should be complacent. Data protection forms part of the Business Model threshold condition and breaches will not be seen favourably by the FCA which in turn may provoke a detailed investigation into other business practices. Like most things, prevention is better than cure.  

This document is provided for information purposes and is general and educational in nature. Nothing in this article constitutes legal advice. You are free to choose whether or not to use it and it should not be considered a substitute for seeking professional legal help in specific circumstances. 

FAQs

The Information Commissioner’s Office (ICO) has issued a raft of guidance that firms can draw from to base their preparations on and further guidance following the consent consultation can be expected shortly.
 
In a nutshell, organisations need to keep records of personal data that they hold/process, keep records of how and when consent was given and what the individual was told, show where the data is going and what it’s being used for, and protect the data they hold.
GDPR has six key principles, which are covered in article 5 of the ICO’s guidance, as follows:
 
“Article 5 of the GDPR requires that personal data shall be:
 
  • processed lawfully, fairly and in a transparent manner in relation to individuals;
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. 
These six principles are covered by article 5(2), referred to as the accountability principle, which, “requires that the controller shall be responsible for, and be able to demonstrate, compliance with the principles.” 
 
Businesses need to have a clear understanding of what ‘affirmative consent’ means so that they can ensure their marketing activities are GDPR compliant: they will need to ensure they can demonstrate they have ‘affirmative consent’ for each and every one of their new business prospects, whether these be personal or commercial.
It came into effect on 25 May 2018. 
There are a few key steps you should be taking now:
 
  • You need to make sure that decision makers and key people in your organisation are aware that the law is changing. They need to appreciate the impact this is likely to have and identify areas that could cause compliance problems under GDPR.
  • It would be useful to start looking at your organisation’s risk register, if you have one.
  • Implementing GDPR could have significant resource implications, especially for larger and more complex organisations.
  • You should raise awareness of the changes that are coming and not leave preparations until the last minute.
  • Consider employee awareness training. RWA’s ‘My Development Zone’ is a useful online learning platform with a full GDPR pathway that employees can undertake. 
For more details on the accountability principle and what is required, please visit: ico.org.uk
 
If you would like further support to help you strength test your GDPR compliance then RWA can also assist you with an initial healthcheck and with further high level process implementation support. 
GDPR is a compulsory requirement for any business handling personal data which relates to living EU citizens. To clarify, GDPR documentation refers to ‘personal data’ as being “any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier [email, IP address, mobile device ID, etc.] or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”1
 
Understanding how the GDPR defines ‘personal data’ is vital for every business. For example, a business email address that has a personal name – for example, andrew.linnell@rwagroup.co.uk – meets the definition of personal data, as it has an individual’s name in it. And as such, a business will need to understand on what basis it is processing this data. 
 
Further, how will businesses approach ‘consent’ should an existing client not renew their business? Traditionally, the broker will view this ‘lost’ client as a new prospect for the future. But how will they ensure they have ‘affirmative consent’ to continue to market their services to a client they no longer hold?
 
GDPR is a golden opportunity to review the information you hold and embed solid GDPR policies and procedures. If done correctly, these changes will not only ensure that your business is compliant, but they also have the capacity to deliver commercial gains for your business.