The European Union’s General Data Protection Regulation represents the biggest shake-up of the rules surrounding data protection for decades and it will affect small and large businesses across every industrial sector.
It will have a significant impact on the financial services companies which store large amounts of personal data for customers, suppliers, and employees.
The scale of this legislation should not be understated: it aims to hand back control of data to the individual. The recent Facebook and Cambridge Analytica crisis highlight growing concerns about the misuse of personal information. In such a febrile environment, companies need to ensure they complete all steps on the GDPR Checklist before the deadline on 25th May. We’ve highlighted the following five actions for financial services organisations, from the complete list to help attack this huge undertaking in a manageable approach.
1: Recognise the new responsibilities of the Data-Protection Officer
While many companies already have a Data-Protection Officer, their role will be changing under GDPR. Under the new legislation, the DPO must be an independent function. In the past, it was possible to be a DPO as well as, for example, an IT manager. But this will no longer be allowed to avoid potential conflicts of interest. The new EU rules require the DPO to put in place company policies to ensure it is aware of its responsibilities and complies with this regulation. One of their most significant responsibilities is to report any potential data breaches. Depending on the nature of the company’s business, these breaches must be reported either straightaway or within 72 hours.
2: Delete data of individuals who are no longer customers or employees
One of the fundamental tenets of GDPR is to ensure an individual’s data is only kept for as long as is required for legitimate business purposes. For example, if an individual is no longer a customer of a regulated financial firm, then their data should be deleted once the regulatory requirements for retention of that data has ended. That requires the company to know where this data is kept, make sure they can search their information caches and provide it when needed. It’s important to have these processes in place now as firms might experience a high volume of requests when the legislation comes into force, which will have to be complied with. If that data contains personal information, it should only be kept if it has a business purpose. By putting the necessary systems in place to sufficiently retain, monitor and delete this data, companies will reduce their regulatory risk as well as cutting their IT costs.
3: Understand the changes to marketing consent
At the moment, organisations are allowed to assume potential clients consent to sales approaches unless they opt out. Under the new legislation, new customers will have to opt-in: they will have to tick a box saying they want to receive marketing materials. Not only will companies have to ensure their forms are updated but they will also have to update their existing database. A good reference for the changes with requirements on consent can be found on the ICO (Information Commissioners Office) website here.
4: Scrutinise the language used in contracts
Businesses will need to screen the language they use in their contracts to ensure these do not conflict with the rights as governed by GDPR. It will be the responsibility of the DPO to ensure contracts with suppliers, employees and customers mirror the consent language of marketing materials.
5: Ensure only the correct data is transferred across borders
International companies transferring data between different jurisdictions need to ensure they comply with relevant protection regulations. Data transfers across borders will be prohibited unless certain conditions are met. For example, adequate protection of personal data must be in place if EU when citizens’ data is moved to another country. The company must know what kind of data is being shifted, from which country it is being sent and to which jurisdiction receives the information.
Do not put this off – the EU GDPR deadline is nearly one month away. For more detailed information on the steps a company needs to undertake before the deadline on 25th May, download this Free GDPR Checklist.