On 25 May 2018, the General Data Protection Regulation (GDPR), the European Union’s new data privacy regulation, will go into effect. From that day forward, firms that handle data from citizens or residents of EU countries will be bound by the new rules. Failure to comply with the new regulation will come with potentially heavy penalties, so it’s important to pay close attention to the details.
The information provided in this blog post is not meant to be an exhaustive resource for clients, but it may be a helpful guide for firms confirming their readiness for the new regulation.
Understanding GDPR Roles/Classifications
Firms must ensure their privacy policies and procedures and their data security measures comply with GDPR.
An initial question is whether your firm is classified as a data processor or a data controller under the new regulation.
If your firm is determining the purpose of the storage or processing of personal information, it is considered a data controller. If your firm stores or processes personal data on behalf of another organisation, it is considered a data processor.
It is possible for a firm to be both a controller and processor.
Best Practices
Firms must ensure policies and procedures are designed to meet their data obligations under GDPR. If your firm is subject to GDPR, benchmarking your readiness against the following best practices may help you identify any potential holes:
- Information Identification. Generally, firms subject to GDPR – whether data controllers, data processors, or both – must maintain a list of the types of personal information the firm holds. Those lists must identify the source of the information, who data is shared with, how the firm uses data and how long information is maintained. Firms must also maintain lists of all of the places where personal information is kept, and the way data flows between multiple locations.
- Privacy Policies. GDPR-compliant firms will also maintain publicly-accessible privacy policies that outline firm policies and processes related to personal data. When privacy policies are updated, GDPR requires firms to notify existing clients of the changes. The privacy policy for firms designated as data controllers should also include a lawful basis to explain why the company needs to process personal information.
- Accountability and Management. Whether your firm is identified as a data processor or controller, it is important to ensure firm decision makers are aware of GDPR requirements and guidelines. Because GDPR impacts technical data, your firm must also be able to demonstrate that technical security is up-to-date and that the firm can demonstrate compliance with applicable standards.
- Staff Training. Firms must train staff to be aware of all relevant data protection requirements, including those required by the GDPR.
- Sub-Processor Compliance. If your firm relies on sub-processors, you should maintain a comprehensive list of sub-processors who meet GDPR standards. Your privacy policy should also mention your use of sub-processors, and your firm should maintain in-force contracts with any firm with which you share information.
- Consent Requirements and Issues. Firms identified as data controllers must obtain consent before processing personal information. Clients must also have the ability to withdraw consent as easily as it was granted. Finally, firms that process the personal information of children must verify children’s ages and obtain consent from their legal guardians
- Moving Data Internationally. Firms subject to the new regulation should regularly review their data transfer policies and procedures for effectiveness and for changes in the way the firm is actually handling data. In addition, firms should monitor the requirements of the other jurisdictions where data is sent or received to confirm compliance. Data should only be transferred outside the EU to countries that offer an appropriate level of protection.
- Breach Notifications. When a data breach involving personal data occurs, firms must report the breach to the local authority and to the people (data subjects) involved.
Personal Privacy Rights and Requirements Under GDPR
Both data processors and data controllers must ensure firm policies are designed to comply with the personal privacy provisions of GDPR.
Under the new regulation, both clients and end users (if different) must be able to easily understand how their personal information can be accessed and used. Your firm must have clear policies governing the automatic deletion of data your firm no longer has a business need to maintain when that data isn’t needed to satisfy regulatory obligations.
Clients and end users also have additional rights under GDPR. They must be able to easily request that their personal data be deleted. In addition, clients and end users must have the ability to easily request that the firm stop processing their data. However, both of these new rights are subject to regulatory requirements. So, if a firm is required to maintain or process information for regulatory purposes, that need will override any client’s or end user’s request.
Clients and end users must also be able to easily request that their data be delivered to themselves, or to a designated third party. Firms must ensure they have processes in place to manage such requests in a prompt and expedient manner.
Finally, firms identified as data controllers must ensure clients and end users have the ability to easily object to profiling or automated decision making that could impact them.
What is a DPO? Does Your Firm Need One?
The GDPR introduces a new supervisory role: The Data Privacy Officer (DPO). This role is not mandated for every organisation but is necessary in certain circumstances. Those include when the firm regularly and systematically monitors data subjects on a large scale or when the organisation monitors peoples’ criminal activity.
As a practical matter, this will likely impact most financial services firms in some respect, as personal information of clients and employees is monitored.
Conclusion
With the GDPR compliance date just around the corner, firms should confirm their efforts meet the requirements of the new regulation.
ComplySci is not a specialist in GDPR or compliance with it. However, we want to ensure the firms we work with understand the regulation’s scope. To learn more, visit the EU’s GDPR Portal.