On 25th May 2018, the General Data Protection Regulation (“GDPR”) came into effect for all firms operating within Europe as well as firms outside of Europe which have data come in from, go through or end up in the EU. As part of this regulation, individuals will be afforded enhanced rights regarding their data. This includes:

  • Data minimisation – Ensuring firms acquire, keep and use only data that they need to operate. This also includes securing informed consent for the use of personal data.
  • The right to be forgotten – Under GDPR, individuals have extended control over their data. They can request to know what data firms hold on them and can ask for said data to be deleted.
  • HR and employee records – Unless a firm has a good reason to retain ex-employees’ data, it should be deleted.
  • Data safeguarding – Ensuring firms have adequate protection policies in place.

GDPR is wide reaching and affects firms and their procedures to a degree not seen in 20 years.

What is Complyport offering firms to help?

Gap analysis

Complyport will guide firms through the GDPR gap analysis process. We acknowledge that some or all of these points may have been addressed by firms, so our involvement may be one of ratification and confirmation. In general, we would expect the process to unfold as follows:

  • Data audit completed – Has the firm mapped its data and understood what data is held and how it is processed per business line?
  • Business activities listed – Are the business activities listed and is the data needed for each business line to function outlined?
  • Internal responsibilities mapped – Are the internal processes listed within the data policies?
  • Personal data identified / categorised – Identify what data would fall within sensitive categories and how it will be used.
  • Data control / processing matched to use / consent (implied or explicit) ¬– Ensure the Data Protection Policy is geared towards GDPR and individuals’ rights regarding data.
  • Third party contracts – Have these been examined and/or re-drafted?
  • Information flows – Have these been Identified and examined?
  • Privacy notices – Are your company’s privacy notices up to date and still relevant?

Documentation

Taking into account the business that the firm undertakes as well as its scope of permission, we can supply that the following documentation needed for GDPR compliance:

  • Data Protection Policy Template
  • Data Breach Policy Template
  • Data Retention and Erasure Policy Template
  • International Data Transfer Policy Template
  • Subject Access request Policy
  • Sample Supplier Data Processing Agreement
  • Consent Register
  • Data Retention Erasure Register
  • Information Asset Register
  • Processing Activities Register

Training

To ensure firms have trained their staff to understand GDPR, Complyport is offering GDPR eLearning.

eLearning — Staff awareness course

We offer training to ensure firms’ staff understand GDPR and, starting from how it will affect them personally, will lead them to understand how it will impact their firm. This training covers:

  • What GDPR is meant to do
  • Personal rights and expectations under GDPR
  • Examples of what GDPR aims to prevent
  • Important terms used In GDPR and what they mean
  • How a firm can satisfy the rights and expectations of the individual
  • What to consider in the workplace
  • Responsibilities in the workplace
  • Areas of change to expect within the workplace

GDPRcheck

GDPRcheck is Complyport’s Fintech offering. The system is designed as a gap-analysis and on-going monitoring tool to support Complyport’s GDPR consultancy services. It provides a single application accommodating scheduled monitoring questionnaires, policy document management and breach reporting facilities. A simplified “traffic-light” interface gives senior management an immediate overview of the firm’s GDPR compliance status, whilst enabling GDPR practitioners’ fine-grained control over their progress towards satisfying the requirements of the regulation.

Features include:

  • Gap-analysis and monitoring questionnaires
  • Automatic reminder
  • Simplified management information
  • Simplified management information
  • Monitored policy library
  • Breach Register
  • Full audit trail

Cyber Security

The media is increasingly filled with examples and stories concerning cyber-security, breaches, and the dire consequences experienced by firms who have got it wrong. Regulation and statute are both addressing the issues and establishing frameworks in which firms should operate, but this is an ongoing process and is often pitched at an abstract level devoid of real-world interpretation.

Senior management need to be confident that they have correctly identified their IT and cyber threat risks, mitigated these risks in a proportionate and on-going manner and verified that this has been accurately communicated to their IT departments or service providers and has been implemented as required.

We offer a cyber-security coordination service to guide firms in fulfilling their regulatory obligations toward cyber-security including:

  • education of senior management on their expected roles and responsibilities, levels of engagement and subject awareness
  • advice on governance, policies and procedures
  • Business Continuity Plan (BCP)
  • Disaster Recovery (DR) planning and documentation

We also offer online employee awareness training in cyber-security through our online ComplyTrainer system.

GDPR Webinar

Recently, Complyport ran a webinar on GDPR which covered the challenges firms are facing during the implementation stage and how data protection can be managed after 25 May. You can listen to a recording of the webinar here.