PruAdviser Online Services for Retirement Account will be unavailable from 21:00 on Thursday 16 September until 00:00 on Friday 17 September for essential maintenance. We apologise for any inconvenience caused.
PruAdviser online services will be unavailable from 20:00 BST Saturday 18 September until 07:00 BST Sunday 19 September for essential website maintenance. We apologise for any inconvenience caused.
Use our checklist to ensure your business is GDPR compliant.
How to demonstrate that you are GDPR compliant?
Have you introduced measures to demonstrate that you are compliant. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies
Document your processing activities
If appropriate, appoint a Data Protection Officer
Introduce measures that meet the principles of data protection, including:
allowing individuals to monitor processing; and
creating and improving security features on an ongoing basis.
The ICO also suggests that you have carried out a Data Protection Impact Assessment if appropriate to check how you’re doing, and whether you need to take action.
Data Protection Impact Assessment (DPIA)
A DPIA will help you to minimise the risks. To assess the level of risk, consideration would have been given to both the likelihood and the severity of any impact on individuals. If you have identified a high risk and the risk cannot be mitigated, you must consult the ICO before starting the processing.
A DPIA is also required for certain types of processing, or any other processing that is likely to result in a high risk to individuals’ interests. It is good practice to do a DPIA as part of compliance checking.
The ICO say that a DPIA must:
''describe the nature, scope, context and purposes of the processing;
assess necessity, proportionality and compliance measures;
identify and assess risks to individuals; and
identify any additional measures to mitigate those risks''.
Consult your DPO (if you have one) and, where appropriate, individuals and relevant Data Protection professionals and possibly consult with third party processors.
Here are some key subjects and considerations. Depending upon the nature of your business and how you use personal data, you may have already explored these areas in greater depth and you may also have sought guidance and advice from DP professionals.
Your staff may be aware of the Data Protection Act (DPA), but to what extent do they understand the GDPR and their new responsibilities?
Consult your DPO (if you have one) and, where appropriate, individuals and relevant data protection professionals and possibly consult with third party processors.
Keep a record of those who have undergone training and ensure this is part of your firm’s ‘induction programme’.
Continue to ensure all third parties you share customer information with, understand their obligations under GDPR and any implications.
Data Protection Officer (DPO)
Have you decided to appoint a DPO, if so they will need training and full and impartial support of directors/partners.
Formalise the role of the DPO and ensure the business owners understand their responsibility to support the DPO in their duties.
Continue to review what data you hold and how it’s used
Understand all the types of personal data you hold and what it’s used for.
Also consider :
How will you ensure customers’ rights are upheld?
Will the way you hold and process personal data change in future?
Are you confident in the third party processors you work with and the way they hold and process data? Ensure your contractual agreements include GDPR compliance.
Continue to map out all the personal data you hold, where it’s held and what it’s used for. Record this as either personal data or sensitive personal data.
Document how you are upholding your clients’ new rights.
Ensure receipt of all contracts with third party data processors.
Where you continue to deliver marketing communications electronically, consider how you are also meeting the requirements under Privacy and Electronic Communications Regulations(PECR).
What legal grounds will you access, hold, process and transfer personal data?
Where ‘consent’ is relevant, did you gain this before the GDPR deadline?
Consider inclusion in your ‘code of conduct’ (it’s not obligatory) but you may wish to work towards it as a way of demonstrating that you comply.
Take a risk based approach to consider whether your arrangements for data security are sufficiently robust.
Have you received guidance from data security experts? Ensure that any arrangements are regularly reviewed. Ensure your staff are aware of the risks and causes of data loss.