As an IFA, broker or Estate Planner you may not have really considered General Data Protection Regulation (GDPR) so far (implemented on 25th May 2018). But it’s important to have an awareness of what’s involved so you can make changes if you need to do so.
Here are 8 considerations of GDPR, many of these may already be in place and it could be that you simply need to tweak a few areas to strengthen them further:
1. Internal engagement
Is everyone in your business appropriately aware of GDPR and committed to making the appropriate changes to ensure compliance?
2. Personal data
What personal data do you hold as a business? Where does it come from? How is this data shared internally and with other third parties? Consider plotting out where your data comes from and how you ask for permission to use that data – are there any risks you need to address?
3. Recording of data
How do you record the data? How do you update and amend it when required? Do you have the ability to fully delete the data across all records if requested to do so? Clean out any old data you don’t use, there’s no point in keeping it anyway.
4. Data security/breaches
How secure is the personal data you have within your business? Is it stored in documents or within a system? Who accesses this data? Are there any restrictions in place?
If you have a breach how quickly can you detect this, and report it? You may need to assess and identify any possible risk elements within your data processes and security. The reputational risk to your business could be huge!
It’s important that customers have the choice upfront to consent to communications from you. You need to make them aware of how you intend to use their information. Consent cannot be inferred from inactivity or pre-ticked boxes, and you must make it easy for people to withdraw consent. You need to implement this consistently and be able to record customer choices.
6. Individuals rights
Does your business allow for all the rights that individuals have? How would you delete personal data, or provide relevant data in an easy to use format?
7. Access requests
Customers have the right to access the information you have on them, and you cannot charge for this service. You can however refuse a request if it is ‘manifestly unfounded or excessive’. You must inform the individual why you have refused within one month. All of this must be recorded and processed within the business for future auditing purposes.
8. Data Protection Officers
You may need to consider appointing a DPO if you deal in large volumes of personal data, conduct regular and systematic reviewing of data on a large scale or if you are a public authority. You need to ensure you have someone who takes on the responsibility for your data protection compliance with the appropriate knowledge support and authority to support your business effectively.
If you are not sure about your compliance in regards to GDPR it could be worth seeking expert legal advice.