The key point to processing personal data with GDPR on individuals is it must be justifiable to do so.
There will need to be controls in position, part of GDPR’s central tenet of ‘privacy by design’ is to justify the use of the personal data and to process it as necessary.
Subject access requests must be abided by, so it is imperative to draw up how these will be done. In theory, they are not too challenging but engaging an independent firm to ensure that you have the right procedures in position ahead of time will ensure the correct personal data is provided to the requesting data subject in a timely fashion.
If there is no justification for processing the personal data, then it should be deleted. Firms will should carefully consider the process to enact this, since removing justifiably processed personal data, or preserving personal data that should be deleted, could bring about issues in the future. Decisions will want to be taken at a policy level to decide what embodies justifiable reasons to processing personal data, and who is responsible to take decisions if situations arise outside the normal.
There are a variety of regulations facing UK financial advice firms at present and it is easy to see why many have reached the conclusion there is something of a regulatory overload facing the industry at present. This only renders it even more important that firms put in the time to understand what each piece of regulation means to them.
Other than the Data Protection Act 1998 itself, the GDPR does not usurp other pieces of legislation, such as MiFID II. They do not contradict each other and the sub-clauses in each article of the GDPR lay out the caveats.
Again, this comes back to justifiable processing of data. If data must be retained under another regulation such as MiFID II, then this need actually then justifies the processing of the personal data and, effectively, will theoretically override the need to delete the personal data under the GDPR. Making the effort to understand the nuances is extremely important and paints a much clearer picture of what firms will want to do.
Rights Of The Individual
It is also crucial to understand the rights of the individuals whose personal data is being processed. They have the right to request access to their personal data and the right to request that it is erased. Formulating a program to take care of their rights will offer a more effective indication of what data firms should and should not be processing.
Not every request to be forgotten needs to be satisfied, there are circumstances under which the firm has rights to retain the personal data. Understanding where and when this applies will go a very long way to ensuring compliance with aspects relating to data retention and how you can respond to such requests for erasure.
Finally, firms must fully understand what constitutes a breach, when that breach should be reported to the Information Commissioner’s Office and when that breach is sufficiently serious to get reported to data subjects, and when caveats apply that mean the breach may not need to be reported.
Identifying breaches is also an essential factor. Mapping out how breaches will be handled will help to avoid panic when they do. It must be presumed that breaches will occur so advice firms need to have responses set out for all staff to understand. How will the breach be handled and subsequently categorised? What data will be reported to whom? What are the time frames? Working these things out as they happen will not be easy and an independent consultancy can help you identify your blind spots.
Understanding the regulation and justifying processing data will prepare the backbone of a firm’s response to GDPR. Putting the correct processes in place will smooth the passage towards handling breaches and supplying the regulators, and possibly individuals, with the correct information at such times.
For the very first time, the GDPR will introduce special protection for children’s personal data, particularly in the context of commercial internet services which includes social networking. If your organisation offers internet services (‘information society services’) to children and relies upon consent to collect information about them, then you may need a parent or guardian’s consent in order to process their personal data lawfully. The GDPR sets the age when a child can give their own consent to this processing at 16 (although this may be lowered to a minimum of 13 in the UK). If a child is younger then you will need to get consent from a person holding ‘parental responsibility’.
This could have significant implications if your organisation offers online services to children and collects their personal data. Bear in mind that consent needs to be verifiable and that when collecting children’s data your privacy notice must be written in language that children will understand.
Call us on 0207 097 1434
Eu-wide General Data Protection Regulation, European General Data Protection Regulation, General Data Protection Regulation European Commission, General Data Protection Regulation Uk