On 25th May 2018, the General Data Protection Regulation (“GDPR”) will come into effect for all firms operating within Europe as well as firms outside of Europe which have data come in from, go through or end up in the EU. As part of this regulation, individuals will be afforded enhanced rights regarding their data. This would include:
- Data minimisation – Ensuring firms acquire, keep and use only data that they need to operate. This also includes securing informed consent for the use of personal data.
- The right to be forgotten – Under GDPR, individuals have extended control over their data. They can request to know what data firms hold on them and can ask for said data to be deleted.
- HR and employee records – Unless a firm has a good reason to retain ex-employees’ data, it should be deleted.
- Data safeguarding – Ensuring firms have adequate protection policies in place.
GDPR will be wide reaching and affect firms and their procedures to a degree not seen in 20 years.
Who are the in-company administrators for GDPR?
Under GDPR, it will become best practice for firms to appoint a data officer to oversee the firm’s compliance. In addition, large firms may need to appoint a Data Protection Officer, registered with the Information Commissioner’s Office.
Firms will need to understand where and when they perform the function of data controller and data processor. Data processors carry out operations on data (storage, backup, analysis, transfer) on behalf of a data controller. Data controllers and data processors can be third parties or can be different departments or business units in the same firm, depending on the data workflow.
Recently, Complyport ran a webinar on GDPR which covered the challenges firms are facing during the implementation stage and how data protection can be managed after 25 May. You can listen to a recording of the webinar here.
What is Complyport offering firms to help?
Complyport will guide firms through the GDPR gap analysis process. We acknowledge that some or all of these points may have been addressed by firms, so our involvement may be one of ratification and confirmation. In general, we would expect the process to unfold as follows:
- Data audit completed – Has the firm mapped its data and understood what data is held and how it is processed per business line?
- Business activities listed – Are the business activities listed and is the data needed for each business line to function outlined?
- Internal responsibilities mapped – Are the internal processes listed within the data policies?
- Personal data identified / categorised – Identify what data would fall within sensitive categories and how it will be used.
- Data control / processing matched to use / consent (implied or explicit) ¬– Ensure the Data Protection Policy is geared towards GDPR and individuals’ rights regarding data.
- Third party contracts – Have these been examined and/or re-drafted?
- Information flows – Have these been Identified and examined?
- Privacy notices – Are your company’s privacy notices up to date and still relevant?
Taking into account the business that the firm undertakes as well as its scope of permission, we can supply that the following documentation needed for GDPR compliance:
- Data Protection Policy Template
- Data Breach Policy Template
- Data Retention and Erasure Policy Template
- International Data Transfer Policy Template
- Subject Access request Policy
- Sample Supplier Data Processing Agreement
- Consent Register
- Data Retention Erasure Register
- Information Asset Register
- Processing Activities Register
To ensure firms have trained their staff to understand GDPR, Complyport is offering GDPR eLearning.
eLearning – Staff awareness course
Complyport offers training to ensure firms’ staff understand GDPR and, starting from how it will affect them personally, will lead them to understand how it will impact their firm. This training will cover:
- What GDPR is meant to do
- Personal rights and expectations under GDPR
- Examples of what GDPR aims to prevent
- Important terms used In GDPR and what they mean
- How a firm can satisfy the rights and expectations of the individual
- What to consider in the workplace
- Responsibilities in the workplace
- Areas of change to expect within the workplace
GDPRcheck is Complyport’s Fintech offering. The system is designed as a gap-analysis and on-going monitoring tool to support Complyport’s GDPR consultancy services. It provides a single application accommodating scheduled monitoring questionnaires, policy document management and breach reporting facilities. A simplified “traffic-light” interface gives senior management an immediate overview of the firm’s GDPR compliance status, whilst enabling GDPR practitioners’ fine-grained control over their progress towards satisfying the requirements of the regulation.
- Gap-analysis and monitoring questionnaires
- Automatic reminder
- Simplified management information
- Simplified management information
- Monitored policy library
- Breach Register
- Full audit trail
If you would like any further details on Complyport and how we can help your firm with GDPR, please contact us via the contact form or email email@example.com.