Introduction: We publish our GDPR Unwrapped guide shortly, one key area covered is the GDPR adds new layers of data protection onto the existing Data Protection Act (DPA). One of the key areas that need focus are the client documents your firm has in place with your clients. These could be:
The website disclaimers will also require a review. This includes:
The ICO’s Data Privacy Policy: The first principle of data protection is that personal data must be processed fairly and lawfully. Thus you must be clear on:
The main elements of fairness include:
Thus to cover all this you now need to consider:
Strategy: You need to start by ensuring the right people are in the right roles with the right skills:
Essentially, the GDPR applies to ‘controllers’ and ‘processors’ that are handling the individual’s personal data. Article 4 of this regulation clarifies the different roles:
Controller: “the natural or legal person, public authority, agency or which, alone or jointly with others, determines the purposes and means of the processing of personal data”. i.e. specifies how and why data is processed
Processor: “a natural or legal person, public authority, agency or which processes personal data on behalf of the controller”. i.e. conducts data processing
Article 5 goes on to stipulate: The controller shall be responsible for, and be able to demonstrate compliance with the Principles”. So it’s an important job!
Data Protection Officer: If you have less than 250 employees then you will need a DPO designate who can also be the data controller within the business.
Data Audit: Model Office's (MO's) preferred approach would be for you to start assessing your data collection and usage behaviour with the GDPR in mind and employ an Information Asset Register (IAR) which will ensure a comprehensive audit is undertaken at outset before re-writing any privacy statements or disclaimers.
Privacy Impact Assessment: The problem we have is how is data collected. This can be directly or indirectly and, in particular, with tracking people online, combining other data sets or using algorithms to analyse data.
A risk register is a good place to start, as the privacy risks need to be mapped all client data held inside and outside the business. This should cover risks such as personal information held being:
Similar to a Risk register, the PIA should incorporate the following steps:
Individual rights: This includes how you would delete personal data or provide data electronically. The GDPR includes the following rights:
Subject access requests: This largely remains the same but with a few changes:
Basis for processing personal data: This differs from the DPA in that some individual’s rights are modified depending on your lawful basis for processing their personal data. So, identify the legal basis you process data and document it, plus update your privacy statement accordingly.
These are:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
In a highly regulated environment, you could choose to use legitimate interests with your clients as they have already opted in so you have their consent (hard or soft) and thus you are required to hold their data based on The FCA record keeping and retention period rules. In our though your agreements will need to offer a hard opt out at all times even if you choose legitimate interests to comply with the right to withdrawal principle.
Disclaimer and Privacy notice content: This needs to be transparent, clear, unambiguous and covers:
Consent: The GDPR states that consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in, i.e. it cannot be from a pre-ticked box, inferred, or inactivity. It must be separate from other terms and conditions and you must have a simple way for people to withdraw consent.
If data is processed for several purposes then consent must be obtained for each of them. You should request only the relevant data for the purpose it is used.
You also need to ensure any third parties involved (e.g. outsourced partners) in gaining client consent are also disclosed.
Children: Article 8 of the GDPR makes specifications for the provision of protection of information as relating to children. The GDPR sets the age of 16 as when a child can provide their own consent to of their data. If younger, then you will require permission from the person holding ‘parental responsibility’.
Data Breaches: You now need to ensure you report any breach to client personal data within 72 hours of detection. You will need a process in place to ensure the data controller and processors notify each other and how the report is made to the ICO and also how the breach is dealt with. Ideally, you will need:
International: Relevant if you operate from more than one EU member state but GDPR does apply to any internationally based organisation that processes data for any individual who resides within the EU.
Code of conduct: Finally, but not least, we would recommend you structure a code of conduct within the business to cover:
Summary: Your firm needs to build on the good work under the DPA and structure its data processing and privacy and disclaimers to ensure full compliance with the GDPR prior to 25th May 2018.
Please click the below icon link to MO's platform and learn more about MO today..