GDPR post-implementation – what next?
01 November 2018
We explore the common themes and pitfalls of the General Data Protection Regulation (GDPR) implementation and highlight some key areas that require continual attention.
Common themes and pitfalls
Subject Access Requests (SARs)
Lack of internal policies or procedures
- Clean desk policies and record handling
A number of firms were storing personally identifiable information (PII) in paper form on desks, or in unsecured folders. This presents a significant issue as, not only is the information unsecured, but it is very difficult to identify if a breach has occurred and to determine the impact of any loss.
The practicalities of active renewal or new business transactions mean that files are printed and left on a desk until completed. A few firms were still using faxes to send information but were not checking to see of if the fax machine was being manned at the recipient’s end, so were sending files without knowing if it was being left on a fax for days on end.
A further issue was raised by a number of firms, who routinely stored client records in their cars between visits or even for extended periods of time.
- Physical security
This was largely satisfactory, with most brokers having appropriate security measures in place and sufficient lockable storage for client records. However, while most had the means to lock storage, not all storage was locked.
- Digital security
Again, most of the IT systems in operation today had been well considered, but a number of firms hadn’t paid attention to this in the context of security of portable data e.g. emails being sent with inappropriate attachments, confidential data being worked upon in public spaces which can be viewed e.g. on trains, loud telephone calls discussing clients whilst in a café, etc.