the general data protection regulation - (gdpr) … · the gdpr comes into effect on 25th may 2018...

THE GENERAL DATA PROTECTION REGULATION - (GDPR) UNWRAPPEDImproving business and client decision making © Engage Insight Ltd 2018

THE GENERAL DATA PROTECTION REGULATION - (GDPR) UNWRAPPED 2© Engage Insight Ltd

CONTENTS

Introduction ..................................................................................................................3

1. The GDPR, your people and data security ...............................................................4

2. Information audit and knowing your data ..............................................................5

3. Communicating privacy information and personal data processing ........................7

4. Individual rights and subject access requests...........................................................9

5. Lawful basis for processing personal data .............................................................11

6. Consent ..................................................................................................................12

7. Children and International requirements ...............................................................13

8. Case study ..............................................................................................................14

9. Summary and a code of conduct ............................................................................15


INTRODUCTION

The GDPR comes into effect on 25th May 2018 and adds new layers of data protection onto the existing Data Protection Act (DPA). It is essential to understand how these changes effect your business and what steps you need to take to ensure you become and remain GDPR compliant. This guide is designed to provide you with bite sized chunks of information, guidance and practical strategy that you can use NOW to ensure you are on track to gain GDPR compliance soonest.

This guide focuses on the key steps the Information Commission Office (ICO) suggest you need to cover and strategy we have used with our clients to ensure they are ahead of the curve when it comes to complying with the GDPR. We also want to ensure that we are not just offering a checklist or tick box exercise. As it seems like it’s raining regulations, it is important to look at how other regulations impact The GDPR and vice versa, this will help you allocate the right resources and streamline your operations savings you time and money.

Whatever you think of regulations, The GDPR is GOOD news in our view. It aims to stop unsolicited marketing, cyber crime, pressure selling and identity theft. Also (as we will see when we cover lawful basis of processing personal data) because we operate in a highly regulated industry, a lot of the processes and procedures you have in place will aid your compliance.

That’s not an excuse to be complacent by any means, the GDPR is far reaching and effects your data throughout your business which means Human Resources, Payroll, Client Relationship Management and of course Compliance to name a few areas. Please remember, as mentioned, this is a cultural shift and you should not view this as a reactive tick-box exercise as this paper will show.

We hope you find this guide useful and if you have any question please do not hesitate to contact us at the below details: E. [email protected] 02030055305W. www.engageinsight.co.uk

http://[email protected]

http://www.engageinsight.co.uk


1. THE GDPR, YOUR PEOPLE AND DATA SECURITY

Your People

Having the right people in the right place with the right skills is crucial with any regulatory change and so it is with the GDPR.

Essentially, the GDPR applies to ‘controllers’ and ‘processors’ that are handling the individual’s personal data. Article 4 of this regulation clarifies the different roles:

Data Controller: “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”. i.e. specifies how and why data is processed

Data Processor: “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”. i.e. conducts data processing

Article 5 goes on to stipulate: ““The controller shall be responsible for, and be able to demonstrate compliance with the Principles”. So it’s an important job!

Data Protection Officer (DPO): If you have less than 250 employees then you will need a DPO designate who can also be the data controller within the business. It is important to note that you should avoid just implicating IT in this role, you want to ensure that a team ethic is built around your Data Controllers, Processors and designate DPO’s so they are empowered and supported. Find out more on the ICO website

Data Security

Where Data security is concerned one of the ICO key steps is data breach and obligation to report within 72 hours to the Data Controller. The main causes of breach are Human error followed by Software corruption, Virus attack, Hardware error, Sabotage, Natural disasters.

Key areas to focus on here are:

• Data Encryption, ensuring your communications methods and data storage is encrypted can ensure data security.

• Information Asset Register (IAR): Mapping the personal data you hold is essential and a RIA will support this. (see page 3)..

According to the ICO 2017 saw 96 reprimands of which 11 were directly related to individuals.

Also £130BN of assets were compromised in 2017 of which £4BN was in the UK

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-officers/


2. INFORMATION AUDIT AND KNOWING YOUR DATA

Allied to data security is the need to ensure you know where all personal and sensitive data is located to meet the Data Subject Rights. You can document the flow of information within your firm by designing an IAR (an example is below). Information Asset Register example

Other areas for focus are:

• Knowing your Data lifecycle ensures you have clean and the right data and any legacy or out dated processes can be updated and corrected

• Mapping your data across all technology platforms you use will enable you to prioritise your efforts for example responding to Subject Access Reports or dealing with Cyber security and confidence in your regulatory returns

• Ensuring the personal data you hold is relevant and accurate and mapped across all systems such as:

• Back office, cash flow, Attitude to risk technologies• Sales/Marketing/Accounting database• Payroll and Human Resources systems • Email systems and online chat (What’s app, Facebook, LinkedIn, Twitter)• Where files are held (Desktop, laptops, servers, backups)• Platform and product providers

Owner Who is responsible for this information asset?

Asset Name A way to identify the information asset

Description A description of what the information asset is and what it records. Specifically note if your information asset contains personal or sensitive information

Format E.g. SOL Database, Excel

Purpose Why do you hold this information and what is it used for?

Location Where is the information stored?

Security How is the information secured? E.G Password protected, encryption

Users Who has access to this information asset

Retention Period How long is the data kept for and why?

Risk/impacts What would be the impact of losing the information asset? Consider loss of confidentiality i.e. a data breach, loss of availability and loss of integrity. What would be the cost of replacing the information?

External sharing Is this information shared externally with any third parties?

Legal basis What is your basis for processing this information? E.g. consent, legitimate interest


2. INFORMATION AUDIT AND KNOWING YOUR DATA

Information Audit the Do’s and Don’ts

DO

• Employ a project management approach• Agree scope and objective• List all assets you hold• Refer to a risk register (if you have one)• Involve everyone and gain their buy in• Include any soft or hard copy spread sheets you may hold • Include the whole client journey from prospecting, on-

boarding, advice journey etc• Make the IAR accessible to all• Buy treats and take the team to the pub to ensure

everyone remains engaged and awake!

DON'T

• Just relay on IT to ‘fix it’ there is no panacea or silver bullet

• Let a few stakeholders and gatekeepers take sole charge, this is a cultural shift within the business thus everyone is affected and accountabilities resonate throughout the team

• Leave the IAR collecting dust


Information and your privacy notices

The GDPR requires you to be as clear as day about what personal data you are collecting, how this is being processed and where you are using it. You need to be up on Article 13, which focuses on the information you should put in your privacy policies. The information below summarises the data privacy you have to provide:

Data Protection Impact Assessment - DPIA

Article 35 of the GDPR requires you to implement appropriate technical and organisational measures to protect data. As a data controller you are accountable for the security and accuracy of the data you hold. Minimisation also applies so you should record only what is necessary (its not War and Peace) how you communicate information now needs special consideration with a first port of call ensuring your communications are sent from a secure platform and are encrypted.

Sensitive data: This could be a persons Faith, Health, Ethnic Background, Criminal convictions, thus you would need to consider if you really need to hold this information and if not securely delete, destroy or return the data.

The ICO suggest you should include the following in your DPIA

• Description of the processing operations and the purposes including, the legitimate interests pursued by the controller

• Assess the necessity and proportionality of the processing in relation to the purpose• Assess the risks to individuals• Measures are in place to address risk, including security and to demonstrate that

you comply

3. COMMUNICATING PRIVACY INFORMATION AND PERSONAL DATA PROCESSING

Information to be supplied

Identity and contact details of the controller and where applicable, the controller’s representative and the DPO

Purpose of the processing and legal basis for processing

The legitimate interests of the controller or third party

Categories of personal data

Any recipients or categories of recipients of the personal data

Details of transfers to third country and safeguards

Retention period or criteria used to determine the retention period

The existence of each of data subject’s rights

The right to withdraw consent at anytime

The right to lodge a complaint with a supervisory body

The source the personal data originates from and whether it came from publicly accessible sources

Whether the provision of the personal data part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data

The existing of automated decision making, including profiling and information about how decisions are made


3. COMMUNICATING PRIVACY INFORMATION AND PERSONAL DATA PROCESSING

Data Impact Assessment example template

Conducted by

Data

Process or system name and who is the data subject E.G. CRM, prospects, clients, employees etc

Description of processing, include links to documents or guides How is personal data captured across name, address, email etc

Location of data processing

Lawful basis for data processing Consent, Privacy, Legitimate interest etc

How long is the data retained

How is the data deleted

Who has access and how is information shared

Risks to data subjects

Measures to minimise and mitigate risks


Power to the people

If you are complying with the DPA (and we hope so) then most individual rights should be familiar to you, but you need to review your procedures and processes to ensure that information about how your clients can exercise their rights are included in your privacy notices.

The GDPR provides the following rights for individuals:

1. The right to be informed2. The right of access3. The right to rectification4. The right to erasure5. The right to restrict processing6. The right to data portability7. The right to object8. Rights in relation to automated decision making and profiling.

So the key to this is ensuring your systems and controls, policies and procedures are clear and understood by all affected and the Data Controller and data processor relationships need to be strong. Finally the ICO provides the test ‘no compelling reason’ left to hold the data as a withdrawal request comes in. Thus in a highly regulated industry, this means you need to factor in The FCA’s suitability, Know Your Client requirements and their data retention rules.

4. INDIVIDUAL RIGHTS AND SUBJECT ACCESS REQUESTS


Handling Subject Access Requests

This largely remains the same with a few differences:

• In most cases you cannot charge for complying with a request• You will have a month to comply (previously 40 days) • You can refuse or charge that are unfounded or excessive• If you do refuse a request, you must provide clear reasoning as to why to the individual

who has made the request and that they may complain to the supervisory authority and to judicial remedy. This again must be competed within one month

DO

• Know Recital 63 of the GDPR• Know the lawful basis(es) you are using• Devise a process to ID person making the request• Provide secure and remote access • Link your Data Subject Access Request Policy to your

Privacy Notice • Deal with the request within one month

(DPA was 40 days)

DON'T

• Be unclear in the relationship between the individual and the Data Controller

• Fudge your ID process• Take it personally • Make it hard

4. INDIVIDUAL RIGHTS AND SUBJECT ACCESS REQUESTS


5. LAWFUL BASIS FOR PROCESSING PERSONAL DATA

This differs from the DPA in that some individual’s rights maybe modified depending on your lawful basis for processing their personal data. Identify the legal basis you process data and document it plus update your privacy statement accordingly.

These are:

a. Consent: the individual has given clear consent for you to process their personal data for a specific purpose. This means being explicit in your terms of business, client agreements or website disclaimers.

b. Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. So how you process business for specific purposes (e.g Investment advice) can apply

c. Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

d. Vital interests: the processing is necessary to protect someone’s life.

e. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

f. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

In a highly regulated environment, you could choose to use legitimate interests with your clients as they have effectively already opted in so you have their consent (hard or soft) and thus you are required to hold their data based on The FCA record keeping and retention period rules. In our opinion though your agreements will need to offer a hard opt out at all times even if you choose legitimate interests to comply with the right to withdrawal principle.

Whatever you choose you need to ensure the lawful basis on which you process personal data is disclosed clearly and is appropriate for each data processing activity.


Marketing and ePrivacy regulation: Don’t forget about the Privacy and Electronic Communications Regulations (PECR)

It is worth noting that the GDPR only partially covers marketing with the PECR, which is currently being re-written and focuses on electronic communications, specifically:

• Marketing calls, emails, texts and faxes• Cookies (plus similar)• Security of communication services• Privacy around traffic and location data, itemised billing, line ID and directory

listings

The new version of the PECR moves every method of e-communication to consent. We suspect this could be the end of many internet cookie based 'pop-up' marketing.

6. CONSENT

The GDPR states that consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in, i.e. it cannot be from a pre-ticked box, inferred, or inactivity. It must be separate from other terms and conditions and you must have a simple way for people to withdraw consent. For a detailed review of consent read the GDPR consent guidance.

If data is processed for several purposes then consent must be obtained for each of them. You should request only the relevant data for the purpose it is used.

You also need to ensure any third parties involved (e.g. outsourced partners) in gaining client consent are also disclosed.

DO

• Keep consent separate from T&Cs• Use plain English • Adopt a simple procedure for all to understand • Provide methods to withdraw consent• Document all requests • Be specific in your request for consent• Deal with the request within one month

DON'T

• Get technical and use jargon• Pre-select opt in boxes • Penalise individuals who wish to withdraw consent • Make consent a pre-condition of service • Be unclear on what the individual has consented to• Be unclear in the relationship between the individual and

the Data Controller

https://ico.org.uk/media/about-the-ico/consultations/2013551/draft-gdpr-consent-guidance-for-consultation-201703.pdf


7. CHILDREN AND INTERNATIONAL REQUIREMENTS

Children: Article 8 of the GDPR makes specifications for the provision of protection of information as relating to children. The GDPR sets the age of 16 as when a child can provide their own consent to processing of their data. If younger, then you will require permission from the person holding ‘parental responsibility’

International: Relevant if you operate from more than one EU member state but GDPR does apply to any internationally based organisation than processes data for anyone individual who resides within the EU.


8. CASE STUDY

Below is a process used to ensure a GDPR project covered all key steps and remained on track throughout.

Agree scope/objectives

Ask the right questions: What data do you possess?

For what purposes? What legal basis?

Who do you share it with?

Explain audit value Use existing resources Create Audit template

Assess data Map Client Journey IT systems, but don’t

forget paper!

Use Corporate Information Asset Register and make

accessible

Provide incentives to give up time to work on this

process


9. SUMMARY AND A CODE OF CONDUCT

The GDPR is not to be underestimated as it represents sweeping change and an increase in accountability and protection of consumer rights. It aligns with The FCA focus on roles and responsibilities the Senior Managers and Certification Regime and ESMA’s MiFID II transparency and disclosure directives. In essence this represents a cultural change and so a Code of Conduct will help you focus on ensuring the team and the business are constantly aligned to the aims.

1. Fair & transparent processing of personal data 2. Collection of personal data and IAR follows the GDPR principles3. Information for individuals & their rights4. Information for & protection of children5. Security measures are understood and implemented 6. Breach notification process and timeframes are understood7. Data transfers outside the EU are mapped 8. Dispute resolution is in place


© Engage Insight Limited50 Liverpool Street

LondonEC2M 7PY

Tel: 020 3005 5305email [email protected]

website www.engageinsight.co.uk

mailto:%20info%40engageinsight.co.uk%20?subject=

www.engageinsight.co.uk

the general data protection regulation - (gdpr) … · the gdpr comes into effect on 25th may 2018...

Documents