Preparing for upcoming changes
What do you need to know about GDPR?
Because you hold data about your customers you’ll need to be compliant with the new rules by Friday 25th May 2018. The Information Commissioner’s Office will then have access to new powers that will allow them to fine you heavily should you not comply.
Why do I need to be compliant?
The EU decided a couple of years ago that ‘data subjects’ – that’s ‘people’ to you and me – in all member states should have equal data protection and privacy rights. There have been Europe-wide data protection directives in place for more than 20 years and you will most likely have been compliant with these which will put you in good stead for GDPR requirements.
What should I consider?
Your Policy and controls framework - have you updated your data protection policy and procedures to deal with the new requirements, including your data retention arrangements?
DPO - should you have a data protection officer or if not who will deal with data requests?
Assurance - what arrangements do you have for ensuring you are compliant?
Training and awareness - ensure your execs and relevant staff understand the new requirements.
Breach reporting framework - if you have a personal data breach you'll need to be able to identify it and report it swiftly to the ICO and in serious risk cases to the affected clients.
Procedures and processes for data subject rights - data subject access requests and other data requests will now need to be completed within 1 month.
Security measures - is the data secure and can you evidence this?
DPIAs and Privacy by Design - for high risk personal data arrangements you may need to complete a data protection impact assessment and overall you need to show you have designed a suitable data protection framework.
Consents and Privacy Notices - you'll need to review and update the information you provide to clients when collecting their data and capturing their consents to processing it.
Third party processors - you'll need to make sure anyone who processes personal data on your behalf has adequate security and assurance arrangements in place.
How will it affect my clients?
With the new GDPR, individuals have been granted very clearly defined rights. These include:
- the right to be informed
- the right of access
- the right to rectification
- the right to erasure
- the right to restrict processing
- the right to data portability
- the right to object; and
- the right not to be subject to automated decision-making, including profiling.
There are exemptions and caveats to all these rights and you'll need to consider the new rules carefully and obtain professional advice as necessary to make sure you have processes in place for assessing and dealing with requests to exercise any of these rights, within the stipulated timescales.
You’ll probably be familiar with this under DPA, but if a client comes to you after 25th May to say the data you hold about them is wrong or they want it deleted, would you know how to correct it or erase it? Will you have processes and systems in place to communicate any changes to client data to other third parties that also hold information about that client? And who in your business is going to be responsible for managing all this?
Also you will need to ensure that you inform your existing client database (to the extent you haven't told them already), and your new clients going forward, of these rights and a number of other key points about your capture and processing of their data including:
- the purpose of the processing
- the legal basis for the processing (eg consent, or legitimate interests)
- how long you will hold their data, or the criteria for determining how long you hold it
- any processing by 3rd parties
- whether the data can be accessed from outside the EEA.
Under GDPR, Magellan Homeloans will be unable to contact you for marketing and update purposes unless you confirm that you're happy for us to continue to do so, and for us to store your details on Magellan’s records and distributions lists.