The big question is then, what do I need to do and when do I need to do it?

Well, with a little over 2 months to GDPR deadline day (25th May 2018) the answer to the second part of that question is, ‘Now’. We plan to implement on Monday 21st May 2018.

So what should you be doing in preparation?

Use resources available from the ICO, the FCA, The Right Mortgage and our provider partners to improve your understanding of GDPR and what impact it will have on your business.

Visit:

The ICO have created some checklists. Use the checklists to assess your compliance with data protection law and find out what you need to do to make sure you are keeping people’s personal data secure. Once you have completed each self assessment checklist a short report will be created suggesting practical actions you can take and providing links to additional guidance you could read that will help you improve your data protection compliance.

These checklists can be found here.

It is now an express legal requirement to conduct data protection impact assessments. The purpose of which is to establish situations where data processing is likely to result in a high risk to individuals, for example;

  • Where a new technology is being deployed;
  • Where a profiling operation is likely to significantly effect individuals;
  • Where there is processing on a large scale of special categories of data;

More information can be found here.

Review the data that you hold, who you hold it on, why you hold it, how accurate it is, how you came by it, and how long you have held it for. Also, consider what rights you have to hold this information currently and what agreement you have from your customers. You can document this audit by using this template here.

For more information click here.

Review your current data protection policies and consider whether these are GDPR compliant. Adjust your policies to meet GDPR requirements in time for GDPR implementation. A sample policy is available here.
We plan to provide you as much support as possible over the next two months to produce the various policies you will require; examples include:

  • Written lawful basis for processing data
  • Subject access request policy/process
  • Privacy notice
  • Consent document
  • Data breach recording/reporting policy and register

Please visit the GDPR document library here.

Become familiar with the rights of individuals: (click on the links for more information)

  1. The right to be informed
  2. The right of access
  3. The right of rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. The right not to be subject to automated decision-making, including profiling

Individuals rights have not changed massively from those already held by data subjects under previous Data Protection legislation, but there are some significant enhancements. For example, you could consider; could I effectively deal with a request from a customer to have their data deleted? What would be the impact of this?

You need to educate and train your staff on the requirements of GDPR and explain the impact it will have on the business and their role. This training should be documented and should be available should the ICO wish to audit your procedures. Particular attention should be paid to how personal data is processed by each department in your business.
Tell your clients what you are doing in relation to GDPR and why you are doing it, this will provide them with confidence that you know what you are doing and will separate you from the competition. This education must include how you will use their data, what is the lawful basis for doing so, how you will store their data, how long it will be stored for and what rights they have.

This will need to be done in a durable medium (as well as verbally if you wish) and they must agree to the use of their information in accord with an explicit data protection statement that is written in clear, easy to understand language.

In most cases you will not be allowed to charge for complying with a subject access request. Additionally, you will now have 1 month to comply with such a request, rather than the 40 days currently allowed. In our experience, subject access requests are few and far between, so we don’t expect these changes to have a large impact; nonetheless, you should be familiar with this data subject right and be prepared to respond in a timely fashion.

We will be happy to provide further support in this regard. The first step, however, is for you to have a formal policy on this. Keep an eye on the Members’ website – we hope to have one on there very soon for you!

Review how you seek, record and manage consent making appropriate changes to your policy and associated documents. The ICO has published some detailed guidance regarding obtaining consent under GDPR which also includes a checklist to review your practices – click here for more information.

Remember that consent must be freely give, or in other words, the client must specifically give their consent and positively opt-in. This consent must be separate from other forms of client communication and should be verifiable for all clients. You will therefore need to consider how you obtain and evidence consent.

For more information click here.

There are set criteria that establishes whether you will require a Data Protection Officer; for most of our firms, this will not be necessary.

Therefore, you will need to know that Adam Stretton will act as Data Protection Officer (dpo@therightmortgage.co.uk) for the entire network, but it would be wise to have a Data Security Champion within each of your businesses who will work along with the Data Protection Officer to manage your customer’s privacy.

For more information click here.

You should have a policy in place to detect, report and investigate a personal data breach. It is important that this policy includes the circumstances under which you would notify the ICO of a breach (e.g. where the data breach is likely to result in a risk to the rights and freedoms of individuals).

Your breach process should also include the notification of any breach to the data subject. GDPR allows you 72 hours to report any data breach to the customer or the appropriate authorities (from the time of becoming aware of the breach).

You will also be required to notify Adam Stretton, Data Protection Officer (dpo@therightmortgage.co.uk).

For more information click here.

Hardware

It is necessary to ensure that all devices used for storing or transferring client data meet the ICO guidelines for hardware; for example, phones and computers/laptops must be password protected and encrypted.

Client Portal

Starting immediately, it is recommended that all advisers begin using the client portal on The Key to communicate with clients. This portal has been assessed and confirms to the ICO requirements concerning GDPR. Any deviation from this is done at your own risk.

Guides to the client portal on The Key:

Existing features and future enhancements of the Key will protect you as an Adviser. These include:

  • Data portability: The Key will allow data to be exported to cater for either client subject access or data portability requests
  • Consent: The Key will provide enhanced functionality to record consent
  • Right to be forgotten: With the Key, delete client records entirely with an audit record
  • Physical security: All data stored on their systems is secure.

For more information click here.

GDPR requires compliance with regulation from both non-EU organisations that transact business with EU residents. This could impact upon any cloud based storage you use which is outside of the EU. For that reason you need to establish where information is stored remotely and if it complies with GDPR.
Paper documents present as large a data protection risk as electronic data, therefore any paper files must also be stored in a locked filing cabinet.  The problem with paper files can be remembering what is stored where, therefore you must have a robust filing system that clearly details what is held and where – this is particularly important when considering a customer’s right to erasure.

It is also imperative that you have an agreed, safe, process for the destruction of documents, afterall, many advisers will make copies of certain file information to use on the visit to the client – caution needs to be taken when doing this and when destroying this data after its use.

Many firms are choosing to use GDPR as an opportunity to go completely paperless – perhaps you could consider this for your business, afterall, it is easier to follow an electronic paper trail than a physical one?

All of this information is provided on a goodwill basis to assist you with your migration to the GDPR compliance in advance of the implementation date and we accept no liability for our interpretation of the GDPR Act. It is the responsibility of the data controller to ensure compliance in advance of the implementation of the GDPR Act.

Visit the GDPR hub on our members site