Data deadlines: a timeline to prepare for GDPR

In the run-up to the introduction of the GDPR, here is a checklist of steps advisers should be taking to stay ahead of the game

With the general data protection regulation (GDPR) set to come into force on 25 May, many firms face a race against time to achieve compliance. Many tasks are likely to be time-consuming, so firms need to make sure they are investing in the right resources and allocating time to those activities where it is needed most.

A timeline of what needs doing when can help firms stay on the right track over the coming months.

With the general data protection regulation (GDPR) set to come into force on 25 May, many firms face a race against time to achieve compliance. Many tasks are likely to be time-consuming, so firms need to make sure they are investing in the right resources and allocating time to those activities where it is needed most.

A timeline of what needs doing when can help firms stay on the right track over the coming months.

January

Complete your data inventory

By now companies should have completed a data inventory to understand the personal data they process. This includes a comprehensive understanding of the data lifecycle via a data mapping exercise.  

Depending on the size of an organisation, the quality of data and the formats in which it is held, this can be a significant undertaking.
The inventory should set out, among other things, the format and location in which data is stored, who has access to the data, the firm’s legal basis for processing each data asset and the relevant retention period.

Although a data inventory is not a specific requirement under the GDPR, from a best practice perspective it will give firms an understanding of how they store data. Furthermore, it will help identify any potentially non-compliant processing. 

Many subsequent tasks can only be tackled once this is complete. So if firms have not started this by now, they are likely to be well behind the curve. Firms should look to complete this by the end of January at the latest.

January - mid-March

Update policies and procedures

At this stage in the game, firms should have devised new processes and procedures to maintain the integrity of the personal data held. Updating policies and procedures ensures breaches and data subject access requests are being dealt with in line with the new timeframes defined by the GDPR.

But policies and procedures mean nothing if they are not supported by training and engagement from staff to make sure they are implemented fully in practice.

January - February

Review and update systems and client consent

If a firm relies on consent as a legal basis for processing personal data, appropriate consent management is essential. Under GDPR, consent must be a ‘freely given, specific, informed and unambiguous’ indication of the data subject’s wishes. This must be achieved by way of a statement or clear affirmative action.

It is important, therefore, to review and update the current consent advisers have with their clients. Ideally this should be completed by mid-February.

Feburary - May

Carry out a data cleanse process

In the process of completing an inventory, firms may discover they are storing data for which they have no legal basis for processing. Or they may find they are holding data that is no longer necessary, out of date, or inaccurate.  

A data cleanse will either anonymise or delete this kind of data.

This is likely to require time and resources. It may take at least a month to complete, so we would recommend starting that process as soon as possible. Firms should set a plan and allocate responsibility throughout the business for locating and appropriately cleansing the personal data held before the deadline of 25 May, allowing a contingency period so that there is time to act should anything unexpected crop up.

March - April

Set up ongoing consent

A process for gaining, maintaining and recording customer consent will also need to be set up. This should include specific consent for processing special categories of data, such as sensitive data. This process needs to be able to store the time and date of consent, the method of consent and what terms a client is consenting to.

Consent should not be bundled up with terms and conditions, which ensures opt-in is not a precondition for signing up to a service (unless necessary for that service). Pre-ticked opt-in boxes will no longer be considered consent under the GDPR.

As technology is invariably involved here, firms should factor in some time to allow for changes to be made to customer management systems.

Mid-March - May

Schedule data protection training

We suggest by mid-March managers or directors should have scheduled specific periodic data protection training and awareness campaigns. Additionally, policies and procedures should be further reviewed to address all aspects of GDPR.  

Training programmes should help deliver a company-wide engagement programme that ensures all staff are aware of GDPR, the implications for getting it wrong and the part each stakeholder must play in ensuring compliance with the regulation.

Lorraine Mouat is senior regulatory consultant at TCC.

 

Share this story

More Content

BUSINESS

1 Comments Profile: Fiona Oliver and James Roberts of Partners Wealth Management

Profile: Fiona Oliver and James Roberts of Partners Wealth Management

James Roberts and Fiona Oliver represent the changing face of Partners Wealth Management, which has drafted in a raft of big hitters since we last visited the firm

ADVICE

Grads grab chance to impress advice firms at matchmaking event

Grads grab chance to impress advice firms at matchmaking event

Top graduates are crying out for a pathway into the profession, so it is up to advisers to go into universities and spread the word about financial advice

twitter_banner

INVESTMENT