The UK’s Department for Digital, Culture, Media and Sport published the results of a survey showing that only 38 per cent of businesses are aware of the General Data Protection Regulation (GDPR). Out of these organizations, only around 25 per cent have introduced changes to the way they operate to comply with the rules set forth by the new set of regulations.
So for every 20 businesses, only eight have heard of the GDPR, and only two are making changes in light of the new rules. Furthermore, only one is including cybersecurity practices in their changes.
Here’s the hard truth: you cannot get away with doing nothing about GDPR. The deadline is coming: May 25, 2018. It does not matter how small or big your organization is; if you are still not ready for GDPR, you might be facing stiff penalties. But more than the penalties, the bigger reason why advisers and advisory firms should comply with the GDPR is that it will tell your customers that you are indeed serious about keeping their personal data safe.
This is especially important in this age where even Facebook is facing a scandal regarding how it has failed to keep the private data of their users contained.
The new GDPR rules are very important in the financial advisory industry because it is an industry where trust is key in getting and retaining customers.
What are the five questions you should ask yourself?
1. What does “GDPR-ready” really mean?
GDPR is a two-fold process. First, you need to make sure that you have all your cybersecurity measures in place. Are all your antivirus and antimalware software installed? Is your system safe from vulnerabilities? Are all your software updated?
Aside from that, you should also ensure that you have procedures and policies in place. You should have done a review of all the data you gather, who you share this data with, and how you are using these data. Train employees on the importance of data protection, and how to handle data properly.
More than that, you should update your privacy policy, fair processing, and other data-related notices.
What are the relevant provisions in the GDPR for this stage?
Key articles to look out for in the legislation:
- Article 25 (Making data protection important and making sure that your systems are secure by design)
- Article 33 (Reporting requirements after a breach is detected)
- Article 83 (Maximum fines imposed for violators)
2. Does installing a software automatically make you GDPR-ready?
While security and data management software can help you prepare for compliance, it is not a magic key for GDPR compliance. In fact, GDPR’s Article 24 requires a company to demonstrate compliance, so claiming to be compliant is never enough.
The software you use should be compliant, and should make sure which software involves customer data. You should know where these software store the data and what data is stored.
You should also know the difference between processors and controllers. Processors have to follow a stricter set of data management rules under GDPR.
One of the most important documents in this exercise is a well-crafted data processing agreement that should include how your data is going to be audited.
3. Will you really be fined millions because of a breach?
Technically, yes. GDPR said that the most severe violations can carry a fine of at least 20 million Euros or 4 per cent of your annual sales, whichever is greater between these two amounts.
In reality, however, the fines are going to be adjusted to your company’s ability to pay, whether you have demonstrated compliance with GDPR, the preventive measures you have put in place, the damage done, previous violations, prompt reporting, and cooperating with the ICO will also be considered.
The thing is, it is still going to be sizable, even if you do not get the maximum penalty. And if you are focused on how much you are going to pay in case of a data breach, then you are looking at GDPR all wrong. It should not be about the fines, but preventing data breaches and valuing your customer’s data privacy.
4. What should you remember about GDPR?
TL; DR. While you might not have the inclination to read through the GDPR, nor the expertise to understand it fully, here are the things you should know.
- The Key Definitions. Even before you start reviewing your data privacy policies and software used, you should get a thorough understanding of key terms as specified in the GDPR laws.
- You need to report data breaches within 72 hours of detecting one. This is very important to remember, other people misunderstands this requirement and think that they are required to report a breach within 72 hours after it happened.
- Keep your backups up-to-date and install a web application firewall.
- Data breaches do not only happen during office hours on weekdays. As such, you should have out of office policies in place as well. This policy will come in handy if you detect a breach on weekends, or on a Friday evening.
5. What is the most important article in GDPR?
If you only have time to read one article in the new regulation, then it should be Article 32, the part that discusses security of processing. The main thing to remember is that if you can see the information, then you are processing it. If you have it in your possession, then that is considered as processing it.
Aside from this article, you should also read Article 9 and Article 10 of the GDPR, which outlines the difference between sensitive personal data and non-sensitive data. You should know what sensitive data is and how much of these types of data are gathered by your systems, how you store them and how you process them.
6. But wait, what about paper records?
GDPR is a great reason to de-clutter your office and get rid of paper records. You should minimize the amount of paper records you hold, and make sure that you have a good filing system. You should also make sure that you know how many copies of each paper record exist in your system. Furthermore, you should store paper records in locked cabinets. Lastly, you should train your employees how to manage and handle paper records.
Photo courtesy of Convert GDPR.