The new regulation requires a culture change in terms of how personal data is perceived and treated.
With less than four months to go until the implementation of the General Data Protection Regulation, strategies to comply should be nearing completion.
There are differences of opinion on some aspects and, as with all pieces of major legislation, not everything is black and white. There is room for interpretation. There are also specific challenges for the regulated financial services industry.
Many of the existing principles of the Data Protection Act are being carried into the new GDPR legislation. There are some new requirements to bring legislation up to date with technological changes and the law will have much sharper teeth, with penalties for non-compliance and data breaches much higher.
Whether data is held on paper files or electronically, you need to record the types you are processing, the reason for processing and how and where it is held. One of the principles of the GDPR is that you should only hold personal data that is necessary for the intended purpose. Processing includes collection, recording, storage, alteration or use of personal data.
There are several lawful bases on which data can be processed. Consent is only one of those bases and is often not the most appropriate one to use. You are likely to use “processing is necessary for the performance of a contract” as the primary lawful basis, although consent is required for the processing of special categories of data such as health information.
Marketing activity can only be undertaken where your client has given explicit consent to receive marketing material from you. The standard for consent is set at a higher level than under current data protection law. It needs to be a positive opt in and clients will have a right to withdraw consent at any time.
While it has been argued that marketing can be undertaken on the basis of a legitimate business interest, this is unlikely to hold water. Legitimate interests can only be used where they are not overridden by the rights and freedoms of the data subject. As there is a fundamental right to object to personal data being used for marketing purposes, the advice is to get the appropriate consent.
All individuals (data subjects) will have the right to be informed about how and why you process their data, the right to access their data, to rectify incorrect information, to request you to move their data to another data controller and deletion of their data if you no longer have an appropriate lawful basis on which to process it.
You do not need to comply with a request for deletion where you have a regulatory responsibility to retain the data and, beyond that, where you have an interest in retaining it against the possibility of a future claim. But your retention policy needs to be clear within the terms of a privacy notice document.
Staff awareness of the GDPR requirements is vital. All staff who may come across personal data will need to have knowledge of the data protection principles and the practical application of the GDPR within your firm through your own internal policies. This should be refreshed and tested on a regular basis.
You will need to implement appropriate, proportionate, accountability and governance measures. This may include organisational measures such as internal data protection policies, staff training, auditing of processes and maintaining relevant records of processing activities. These measures will help you to demonstrate compliance with the GDPR.
As a data controller, you must have contracts in place with any third parties that process personal data on your behalf that cover responsibilities and liabilities under GDPR of both parties. There are compulsory inclusions for these contracts such as, for example, that the processor can act only on the written instructions of the controller, a duty of confidence when processing data, and having appropriate data security measures in place.
Your own data security measures are vital as you would expect. The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
You will need to report certain types of personal data breach to the Information Commissioner’s Office. You must do this within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay. You must also keep a record of any personal data breaches, regardless of whether you are required to notify.
The ramping up of data protection law that the GDPR brings, together with the stiff financial penalties and the background of longstanding and wholesale non-compliance with existing data protection law, means the new regulation is something of a culture shock.
It also requires a culture change in terms of how personal data is perceived and treated. The general media is already active in publicising the changes. You need to be prepared.
Jon Roberts is compliance policy consultant at Threesixty