You may be tired of hearing about it, but the General Data Protection Regulation is not going away. The 25 May implementation is just days away, so you need to make sure you are familiar with what is changing and the actions you need to take.
Your preparations should be at an advanced stage, but don’t panic if they are not. The following points are what you need to consider and act on.
What personal data are you processing? This includes collecting, recording, organising, storing, adapting or altering any data that identifies a living person. You also need to establish the purposes and legal bases for all processing activities.
If you are using consent as a legal basis you need to consider whether it remains the most appropriate basis (it probably is not, with the exception of special category data and data used for marketing). You need to ensure it is obtained using the new GDPR standard, which you almost certainly did not apply for previously.
Review contracts with organisations that act as data processors for the personal data you control: back office systems, compliance consultants and any party to which you pass your clients’ personal data as part of providing your services. GDPR requires contracts for all such arrangements, including compulsory clauses to make the responsibilities of both parties explicit.
Inform your clients about how and why you are using their personal data. This should be covered in your privacy notice which must be made available to all data subjects.
Accountability and governance is key. You need to be able to demonstrate a culture of privacy within your firm. You need a staff facing data protection policy, you need to show that the privacy of your clients is properly considered in developing your processes (privacy by design) and that your staff are fully aware of the data protection principles and your internal application of them.
Consider your data security policies closely. The days of sending personal data through unprotected emails are gone. Mobiles should be appropriately encrypted. Most security breaches will be reportable to the Information Commissioners Office.
Aside from data security breaches, what are the likely risks for firms post implementation?
Data retention is the issue that has caused most debate in the build-up.
You will need a data retention policy, which will need to be included in your privacy notice for clients. With a long history of claims and missellling scandals, a suspicion that the regulators have applied retrospective standards and the lack of a long-stop for complaints, there is a common desire to retain client records indefinitely.
Can this be done? On the face of it, indefinite retention would appear to go against the spirit and letter of GDPR, and current data protection law too. Unfortunately, there is not a definitive answer but there are several factors to help you to decide.
What is the data? Remember, you need to identify the data you hold and the purpose for its processing. You should not treat all data as one in deciding your retention policy. If you hold data relating to an expired contract for a client with whom you are no longer engaged, deciding to retain it forever is unreasonable.
Conversely, suitability records for pension transfer business need to be retained indefinitely. It is a regulatory requirement, so you have a legal responsibility.
Data policies need to be checked. The days of sending personal data via unprotected emails are gone
In between these extremes there are numerous scenarios to consider. While you maintain a relationship with a client, data retention is less of an issue.
With the exception of pension transfers, there are minimum data retention periods for suitability records depending on the type of business. These are minimal, so you can retain data for longer if you have a legal basis for it. This may be “legitimate interests”, in which case you need to assess whether or not your interests outweigh the rights and freedoms of the data subjects. Some organisations are using defined periods for retention once a client relationship has ended; seven years, for example.
There is a common misunderstanding that data can be retained for the possible defence of a future legal claim. “For the establishment, exercise or defence of legal claims” is a valid reason to refuse a request for data to be deleted, but it is not one of the legal bases for processing personal data in itself.
The Information Commissioner has said several times that 25 May is not the end but the beginning. It may be some time before test cases lend some clarity to some of the inherent contradictions between data controllers’ interests and the rights of individuals to control their personal data.
Jon Roberts is compliance policy consultant at Threesixty