General Data Protection regulation 2018 (3) Initial Data review
- By MICHAEL HANSON
- •
- 04 Oct, 2017
As noted, in our previous newsletters, the General Data Protection Regulation (GDPR) is effective from 25 May 2018. However, there are some issues that need to be addressed in advance of that date in order to ensure that firms are not in breach after May 2018.
One of these is the need to document your position with regard to personal data. As a reminder, ‘personal data’ means any information relating to a natural person who can be identified, directly or indirectly from that data.
We have put together the following document to help guide the thought process as far as data is concerned. We would recommend that you allocate responsibility for completing the review, to a senior member of staff, as soon as possible. There may be issues identified that cannot immediately be resolved so, better to identify any problems sooner rather than later.
| Core issue |
Considerations |
|
| What data do we hold or process for clients or staff? |
We need to document the personal data that we hold. This may include name, address, DOB, conviction data, underwriting information, bank and credit card details, IP address. |
|
| Do we hold any ‘Special Category’ personal data |
Do we hold any data relating to the health of the subject? If so, for clients, which products does this apply to? We will need explicit consent to process or hold such data under the GDPR |
|
| Where |
We need to document where data is held. Paper files, in house systems, email folders, call recordings, anywhere else? |
|
| Data portability |
We need to be able to provide client data in an electronic format. Can we export client data from our system to, for example, a CSV file? |
|
| Subject access requests |
We need to respond to these within 30 days. Can we quickly extract and deliver all of the information we hold about the client? Again, can this be provided electronically? Can we quickly identify all of the locations where data could be held within our organisation? |
|
| Source |
Generally, from the client. Any other sources? Introducers, marketing organisations, any others? |
|
| Destinations |
Where do we send data? Who else may get access to the data? insurers, auditors, external consultants, credit providers, banks, financial transaction processors, crime and fraud prevention agencies and databases and regulators. Can the data go anywhere else? |
|
| Purpose |
Do we use data only for the purpose communicated to the client? |
|
| How long do we hold data for? |
We need a data retirement or destruction process for data that we no longer need to hold. |
|
| Do we hold obsolete data? |
If so, we need to delete it |
|
| How do we delete obsolete data? |
How can we demonstrate that the data has been permanently deleted? |
As always, we are more than happy to provide any advice or guidance needed and we will be using the information from this work to help complete the larger data protection project that will enable compliance with the GDPR.
